CVE-2024-44937 in Linux
Summary
by MITRE • 08/26/2024
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel-vbtn: Protect ACPI notify handler against recursion
Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may run on multiple CPU cores racing with themselves.
This race gets hit on Dell Venue 7140 tablets when undocking from the keyboard, causing the handler to try and register priv->switches_dev twice, as can be seen from the dev_info() message getting logged twice:
[ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event
[ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17
[ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event
After which things go seriously wrong: [ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17'
... [ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory.
[ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018
...
Protect intel-vbtn notify_handler() from racing with itself with a mutex to fix this.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/13/2024
The vulnerability described in CVE-2024-44937 represents a critical race condition within the Linux kernel's ACPI notification handling mechanism, specifically affecting the intel-vbtn driver used in certain Dell tablets. This issue stems from changes made in commit e2ffcda16290 which enabled ACPI notify handlers to execute concurrently across multiple CPU cores, a feature designed to improve system responsiveness but inadvertently creating dangerous conditions for drivers that were not designed with such parallel execution in mind. The intel-vbtn driver, responsible for handling virtual button events on Intel-based systems, becomes vulnerable to self-racing conditions when multiple CPU cores attempt to execute the same notification handler simultaneously.
The technical flaw manifests as a race condition in the intel-vbtn notify_handler() function where concurrent execution attempts to register the same input device twice, leading to a cascade of system failures. When the Dell Venue 7140 tablet is undocked from its keyboard, the ACPI notify mechanism triggers the handler on multiple cores simultaneously, causing the system to attempt to register the priv->switches_dev device twice. This duplication attempt results in the kernel logging duplicate messages indicating the registration process is occurring twice, followed immediately by sysfs errors indicating duplicate filename creation attempts. The underlying issue stems from the lack of proper synchronization between concurrent handler executions, allowing multiple threads to access and modify shared resources without adequate protection mechanisms.
The operational impact of this vulnerability is severe and potentially destabilizing to affected systems. The race condition leads to kernel NULL pointer dereference errors and system crashes, as evidenced by the BUG message indicating memory access violations at address 0x0000000000000018. The system's inability to properly handle concurrent ACPI notifications results in device registration failures, kernel panic conditions, and potential data corruption. This vulnerability affects systems running Linux kernels where the intel-vbtn driver is active and ACPI notify handlers are executed in parallel, particularly impacting mobile devices and tablets that rely on ACPI-based hardware event handling. The issue demonstrates a classic case of insufficient concurrency control in kernel drivers, where the introduction of parallel processing capabilities created new attack surfaces and failure modes.
The mitigation strategy for this vulnerability involves implementing proper synchronization mechanisms within the intel-vbtn driver to prevent concurrent execution of the notify_handler() function. The solution requires protecting the handler with a mutex, ensuring that only one instance of the handler can execute at any given time, thereby eliminating the race condition that leads to duplicate device registrations. This approach aligns with standard security practices for concurrent system programming and addresses the underlying design flaw that allowed multiple threads to access shared resources simultaneously. The fix directly addresses the root cause by ensuring atomic execution of the notification handling code, preventing the duplicate registration attempts that trigger the cascading failures. This remediation follows established kernel security principles and aligns with the CWE-362 weakness category, which specifically addresses race conditions in concurrent programming scenarios. The solution also reflects ATT&CK technique T1068, which involves the exploitation of privilege escalation opportunities through system-level vulnerabilities, as this flaw could potentially be exploited to cause system instability or denial of service conditions.