CVE-2024-40901 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump:
BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
For full log, please look at [1].
Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory.
[1] Link: https://lore.kernel.org/all/[email protected]/
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability CVE-2024-40901 affects the Linux kernel's SCSI multipath storage subsystem, specifically within the mpt3sas driver responsible for managing LSI MegaRAID controllers. This issue represents a classic buffer overflow scenario where improper memory boundary handling leads to out-of-bounds memory access. The flaw occurs during device discovery and management operations when the driver attempts to manipulate bit flags using kernel's test_bit() and set_bit() functions. These functions are designed to operate on long values, which are typically the size of unsigned long data types on the target architecture, but the code fails to ensure adequate memory allocation for such operations. The vulnerability manifests as a slab-out-of-bounds access detected by Kernel Address Sanitizer (KASAN), indicating that memory operations extend beyond allocated boundaries and potentially corrupt adjacent memory regions.
The technical implementation of this vulnerability stems from inadequate memory allocation checks within the mpt3sas driver's device handling code. When the driver processes SCSI device additions, it attempts to perform bit operations on memory locations that are insufficiently sized to accommodate the full unsigned long operations. The specific error occurs at line 7331 in mpt3sas_scsih.c where _scsih_add_device function executes test_bit() operations that cross memory boundaries. The KASAN dump reveals a write operation of size 8 bytes (corresponding to the size of unsigned long on x86_64 architecture) to address 0xffff8881d26e3c60, which indicates that the memory region allocated for bit manipulation is smaller than required. This type of vulnerability falls under CWE-121 which describes stack-based buffer overflow conditions, though in this kernel context it manifests as heap-based out-of-bounds access. The underlying issue demonstrates poor adherence to kernel memory management best practices where the driver fails to properly size memory allocations for atomic operations.
The operational impact of this vulnerability is significant within enterprise storage environments that rely on Linux-based systems with LSI MegaRAID controllers. An attacker could potentially exploit this flaw to cause system instability through kernel memory corruption, leading to system crashes, data corruption, or in worst-case scenarios, privilege escalation. The vulnerability affects systems running kernel versions prior to the fix, particularly those managing large numbers of SCSI devices or under heavy I/O workloads where device discovery and management operations occur frequently. The out-of-bounds memory access could result in unpredictable behavior, including denial of service conditions where the storage subsystem becomes unavailable, or more severe consequences if the memory corruption affects critical kernel data structures. This vulnerability directly impacts the reliability and security of enterprise storage infrastructure that depends on the mpt3sas driver for device management and I/O operations.
The recommended mitigation strategy involves ensuring that all memory allocations for bit manipulation operations within the mpt3sas driver are sized appropriately to accommodate the full unsigned long data type. The fix requires modifying the memory allocation logic to guarantee that bit operation targets are at least sizeof(unsigned long) bytes in size, preventing any potential boundary violations. This approach aligns with the principle of defensive programming and follows established kernel development practices for atomic operations. Organizations should immediately apply the relevant kernel security patches that implement this fix, which typically involve adjusting allocation sizes for the specific data structures used in device management operations. System administrators should also monitor for any signs of system instability or unexpected crashes that might indicate exploitation attempts, particularly in high-density storage environments. The solution adheres to ATT&CK technique T1068 by addressing a privilege escalation vector through kernel memory corruption, and follows security frameworks that emphasize proper resource management and bounds checking in kernel space operations. Regular kernel updates and security audits should be implemented to prevent similar issues in other subsystems that may employ similar bit manipulation patterns.