CVE-2024-26738 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

When a PCI device is dynamically added, the kernel oopses with a NULL pointer dereference:

BUG: Kernel NULL pointer dereference on read at 0x00000030 Faulting instruction address: 0xc0000000006bbe5c Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8 REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+) MSR: 8000000000009033 CR: 24002220 XER: 20040006 CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0 ... NIP sysfs_add_link_to_group+0x34/0x94 LR iommu_device_link+0x5c/0x118 Call Trace: iommu_init_device+0x26c/0x318 (unreliable) iommu_device_link+0x5c/0x118 iommu_init_device+0xa8/0x318 iommu_probe_device+0xc0/0x134 iommu_bus_notifier+0x44/0x104 notifier_call_chain+0xb8/0x19c blocking_notifier_call_chain+0x64/0x98 bus_notify+0x50/0x7c device_add+0x640/0x918 pci_device_add+0x23c/0x298 of_create_pci_dev+0x400/0x884 of_scan_pci_dev+0x124/0x1b0 __of_scan_bus+0x78/0x18c pcibios_scan_phb+0x2a4/0x3b0 init_phb_dynamic+0xb8/0x110 dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]
add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]
kobj_attr_store+0x2c/0x48 sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x350/0x4a0 ksys_write+0x84/0x140 system_call_exception+0x124/0x330 system_call_vectored_common+0x15c/0x2ec

Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains") broke DLPAR add of PCI devices.

The above added iommu_device structure to pci_controller. During system boot, PCI devices are discovered and this newly added iommu_device structure is initialized by a call to iommu_device_register().

During DLPAR add of a PCI device, a new pci_controller structure is allocated but there are no calls made to iommu_device_register() interface.

Fix is to register the iommu device during DLPAR add as well.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability described in CVE-2024-26738 affects the Linux kernel's handling of dynamic PCI device addition on powerpc/pseries systems through the Dynamic Logical Partitioning (DLPAR) functionality. This issue manifests as a kernel NULL pointer dereference when attempting to add PCI devices dynamically, leading to system crashes and potential denial of service conditions. The problem specifically occurs within the iommu subsystem where the pci_controller structure is not properly initialized during DLPAR add operations, causing critical kernel functions to access invalid memory addresses.

The technical root cause stems from a regression introduced in commit a940904443e4 which added iommu_device structure support to pci_controller for reporting IOMMU capabilities and managing blocking domains. During normal system boot, PCI devices are discovered and the iommu_device structure is properly initialized through calls to iommu_device_register(). However, during DLPAR add operations, while a new pci_controller structure is allocated, the crucial iommu_device_register() call is omitted, leaving the IOMMU device structure uninitialized. This creates a scenario where subsequent kernel operations attempt to dereference a NULL pointer at offset 0x30, resulting in the kernel oops and system crash.

The operational impact of this vulnerability is significant for systems utilizing powerpc/pseries architecture with dynamic PCI device management capabilities. Any DLPAR add operation for PCI devices will trigger the kernel NULL pointer dereference, potentially causing complete system instability and requiring manual intervention to recover. The vulnerability affects systems running kernel versions that include the problematic commit, particularly impacting enterprise and server environments where dynamic hardware configuration is common. Attackers could exploit this by repeatedly triggering DLPAR add operations to cause system crashes, leading to availability disruptions.

The fix for this vulnerability involves ensuring that the iommu device is properly registered during DLPAR add operations, mirroring the initialization process that occurs during system boot. This requires adding the missing iommu_device_register() call during the DLPAR add path to properly initialize the iommu_device structure within the pci_controller. The solution aligns with the principle of proper resource initialization and follows established kernel patterns for IOMMU device management. This fix addresses the underlying CWE-476 (NULL Pointer Dereference) vulnerability and ensures consistent behavior between boot-time and dynamic PCI device addition scenarios. The remediation approach follows ATT&CK technique T1489 (Service Stop) and T1070 (Indicator Removal) by preventing the system crash that would otherwise occur, maintaining system availability and stability during dynamic hardware configuration operations.

Reservation

02/19/2024

Disclosure

04/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00239

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!