CVE-2024-41002 in Linuxinfo

Summary

by MITRE • 07/12/2024

In the Linux kernel, the following vulnerability has been resolved:

crypto: hisilicon/sec - Fix memory leak for sec resource release

The AIV is one of the SEC resources. When releasing resources, it need to release the AIV resources at the same time. Otherwise, memory leakage occurs.

The aiv resource release is added to the sec resource release function.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/30/2024

The vulnerability identified as CVE-2024-41002 represents a critical memory management issue within the Linux kernel's cryptographic subsystem, specifically affecting the hisilicon/sec driver implementation. This flaw manifests as a resource management oversight that occurs during the cleanup process of hardware security engine components. The affected driver handles cryptographic operations through the hisilicon security engine controller which manages various hardware resources including the AIV (Advanced Interrupt Vector) component. When the system attempts to release SEC (Security Engine Controller) resources, the implementation fails to properly account for the associated AIV resources that are allocated alongside the primary SEC components. This oversight creates a scenario where memory allocated for AIV structures remains allocated even after the parent SEC resource has been released, leading to progressive memory consumption that can eventually degrade system performance or contribute to resource exhaustion conditions.

The technical root cause of this vulnerability stems from an incomplete resource cleanup routine within the kernel's device driver framework. The hisilicon/sec driver implements a resource release mechanism that properly handles the main SEC hardware resources but neglects to invoke the corresponding cleanup function for the AIV subsystem. This represents a classic memory leak pattern where allocated kernel memory structures are not properly deallocated, creating persistent memory footprints that accumulate over time. The issue specifically affects the driver's resource management function where the AIV resource release logic was not integrated into the existing SEC resource release sequence, resulting in orphaned memory allocations that cannot be reclaimed by the kernel's memory management subsystem.

From an operational perspective, this vulnerability poses significant risks to systems utilizing hisilicon hardware platforms that depend on the security engine for cryptographic operations. The memory leak occurs during normal resource cleanup operations, meaning that every time the SEC driver releases resources, a small amount of memory remains allocated, creating a progressive degradation in system performance. In high-throughput environments or systems with frequent resource allocation and deallocation cycles, this leak can accumulate to substantial memory consumption, potentially leading to system instability, reduced performance, or even system crashes due to memory exhaustion. The vulnerability is particularly concerning because it operates silently in the background, making detection difficult without specialized monitoring tools that track kernel memory allocation patterns.

The fix for CVE-2024-41002 involves modifying the existing SEC resource release function to include the AIV resource release logic as part of the complete cleanup sequence. This remediation ensures that when the driver releases SEC resources, it automatically triggers the corresponding cleanup of associated AIV resources through proper integration of the AIV release mechanism within the main resource management flow. The solution aligns with established security best practices for kernel development and follows the principle of least privilege by ensuring complete resource cleanup. This type of vulnerability would typically be classified under CWE-404 as an improper resource release or CWE-772 as missing release of resource after effective lifetime, and may be related to ATT&CK technique T1547.001 for registry run keys or T1059.001 for command and scripting interpreter. The fix demonstrates proper kernel driver development practices that maintain resource integrity throughout the driver lifecycle and prevents potential exploitation scenarios that could leverage resource exhaustion for denial-of-service attacks or information disclosure. System administrators should prioritize applying this patch to all affected systems running the Linux kernel with hisilicon hardware platforms to prevent potential memory leakage issues that could impact system stability and performance.

Responsible

Linux

Reservation

07/12/2024

Disclosure

07/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00272

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!