CVE-2024-26680 in Linuxinfo

Summary

by MITRE • 04/02/2024

In the Linux kernel, the following vulnerability has been resolved:

net: atlantic: Fix DMA mapping for PTP hwts ring

Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue.

Trace: [ 215.351607] ------------[ cut here ]------------
[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]
[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360
... [ 215.581176] Call Trace:
[ 215.583632]
[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df
[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df
[ 215.594497] ? debug_dma_free_coherent+0x196/0x210
[ 215.599305] ? check_unmap+0xa6f/0x2360
[ 215.603147] ? __warn+0xca/0x1d0
[ 215.606391] ? check_unmap+0xa6f/0x2360
[ 215.610237] ? report_bug+0x1ef/0x370
[ 215.613921] ? handle_bug+0x3c/0x70
[ 215.617423] ? exc_invalid_op+0x14/0x50
[ 215.621269] ? asm_exc_invalid_op+0x16/0x20
[ 215.625480] ? check_unmap+0xa6f/0x2360
[ 215.629331] ? mark_lock.part.0+0xca/0xa40
[ 215.633445] debug_dma_free_coherent+0x196/0x210
[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10
[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0
[ 215.648060] dma_free_attrs+0x6d/0x130
[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]
[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]
... [ 216.127540] ---[ end trace 6467e5964dd2640b ]---
[ 216.132160] DMA-API: Mapped at:
[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0
[ 216.132165] dma_alloc_attrs+0xf5/0x1b0
[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]
[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]
[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/17/2025

The vulnerability identified as CVE-2024-26680 resides within the Linux kernel's networking subsystem, specifically affecting the atlantic driver used for Ethernet network interface cards. This issue manifests as a DMA mapping inconsistency that arises during the allocation and deallocation of memory for Precision Time Protocol hardware timestamping rings. The root cause stems from a mismatch between the amount of memory allocated for the PTP hardware timestamping ring and the amount that gets freed, leading to a critical discrepancy in DMA API usage. The function aq_ring_hwts_rx_alloc() allocates an additional AQ_CFG_RXDS_DEF bytes specifically for the PTP hardware timestamping ring, but the generic aq_ring_free() function does not account for this extra allocation when performing deallocation, creating a fundamental mismatch in memory management.

The operational impact of this vulnerability is significant as it triggers kernel warnings and potential system instability through the DMA-API subsystem. The kernel's DMA debugging infrastructure detects the inconsistency when attempting to free memory, generating a warning message that indicates a device driver is attempting to free DMA memory with a different size than what was originally mapped. The trace shows a clear mismatch where the device address maps 34816 bytes but the unmap operation attempts to free only 32768 bytes, which violates fundamental DMA memory management principles. This discrepancy can lead to memory corruption, system crashes, or more subtle stability issues that may go unnoticed until they manifest under specific network traffic conditions or prolonged system usage. The issue is particularly concerning because it affects the PTP hardware timestamping functionality, which is critical for time-sensitive applications such as financial trading systems, industrial control networks, and real-time communication protocols.

The technical flaw aligns with CWE-127, which addresses DMA mapping issues and memory management inconsistencies, and demonstrates characteristics consistent with ATT&CK technique T1059.001 related to system service manipulation and T1063 related to credential access through kernel-level vulnerabilities. The vulnerability exploits a common pattern in kernel drivers where specialized memory management functions fail to maintain consistency with generic cleanup routines, creating a path for potential exploitation. The fix implemented addresses this by creating a dedicated function specifically for freeing the HWTS ring, ensuring that the exact amount of memory allocated is properly accounted for during deallocation. This approach follows established kernel development practices and aligns with the principle of least privilege in memory management, where each allocation and deallocation operation must maintain strict consistency to prevent memory corruption and system instability. The resolution ensures that the atlantic driver properly handles the specialized memory requirements of PTP hardware timestamping while maintaining compatibility with the broader DMA subsystem and preventing potential denial-of-service conditions or more serious security implications that could arise from improper memory handling.

Reservation

02/19/2024

Disclosure

04/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00228

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!