CVE-2024-36925 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y

Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following crash when initialising the restricted pools at boot-time:

| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
| pc : rmem_swiotlb_device_init+0xfc/0x1ec | lr : rmem_swiotlb_device_init+0xf0/0x1ec | Call trace: | rmem_swiotlb_device_init+0xfc/0x1ec | of_reserved_mem_device_init_by_idx+0x18c/0x238 | of_dma_configure_id+0x31c/0x33c | platform_dma_configure+0x34/0x80

faddr2line reveals that the crash is in the list validation code:

include/linux/list.h:83 include/linux/rculist.h:79 include/linux/rculist.h:106 kernel/dma/swiotlb.c:306 kernel/dma/swiotlb.c:1695

because add_mem_pool() is trying to list_add_rcu() to a NULL 'mem->pools'.

Fix the crash by initialising the 'mem->pools' list_head in rmem_swiotlb_device_init() before calling add_mem_pool().

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/30/2024

This vulnerability exists within the linux kernel's dma subsystem specifically affecting systems configured with both restricted dma pools and dynamic swiotlb functionality. The issue manifests as a kernel oops during boot time initialization when the kernel attempts to process restricted dma memory pools. The root cause stems from improper initialization of a list head structure that is subsequently used in a list manipulation operation. When CONFIG_DMA_RESTRICTED_POOL=y and CONFIG_SWIOTLB_DYNAMIC=y are both enabled, the kernel's reserved memory initialization code path fails to properly initialize the mem->pools list_head structure before attempting to add elements to it. This creates a scenario where list_add_rcu() is called on a NULL pointer, resulting in a kernel NULL pointer dereference that crashes the system.

The technical flaw occurs in the rmem_swiotlb_device_init function within kernel/dma/swiotlb.c at line 1695, where the add_mem_pool() function is invoked without proper initialization of the mem->pools list_head. The crash trace shows execution flowing through the kernel's device tree dma configuration mechanism and eventually reaching the problematic list validation code in include/linux/list.h at line 83. This type of vulnerability falls under the category of improper initialization as defined by CWE-459, where a data structure fails to be properly initialized before use. The vulnerability directly impacts the kernel's memory management and dma subsystem initialization process, making it a critical boot-time issue that prevents system operation.

The operational impact of this vulnerability is severe as it prevents systems from booting properly when both configuration options are enabled, effectively rendering affected hardware unusable. Systems using device trees for dma configuration and those requiring restricted memory pools for security or compliance reasons are particularly vulnerable. This affects embedded systems, servers, and devices that rely on the combination of dynamic swiotlb functionality with restricted memory pools for various security requirements. The vulnerability represents a direct violation of the kernel's initialization sequence and can be exploited to cause denial of service conditions during system boot. According to ATT&CK framework, this maps to T1490 (Inhibit System Recovery) and T1547.001 (Registry Run Keys/Startup Folder) through the boot process compromise.

The fix implemented addresses the core initialization issue by ensuring the mem->pools list_head is properly initialized in the rmem_swiotlb_device_init() function before any calls to add_mem_pool() are made. This follows the principle of defensive programming where all data structures are initialized before use, preventing the NULL pointer dereference that was occurring. The solution aligns with the kernel's established patterns for list initialization and follows best practices for kernel memory management. The fix is minimal and surgical, targeting only the specific initialization gap without altering the broader functionality of the swiotlb subsystem. This vulnerability demonstrates the importance of proper data structure initialization in kernel code and highlights how seemingly small initialization oversights can lead to complete system failures during critical boot processes. The resolution ensures that the kernel's dma subsystem can properly initialize restricted memory pools without crashing, maintaining system stability and availability for devices that require both dynamic swiotlb and restricted memory pool functionality.

Reservation

05/30/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!