CVE-2024-44976 in Linux
Summary
by MITRE • 09/04/2024
In the Linux kernel, the following vulnerability has been resolved:
ata: pata_macio: Fix DMA table overflow
Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix max_segment_size with PAGE_SIZE == 64K").
For example:
kernel BUG at drivers/ata/pata_macio.c:544! Oops: Exception in kernel mode, sig: 5 [#1]
BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac ... NIP pata_macio_qc_prep+0xf4/0x190 LR pata_macio_qc_prep+0xfc/0x190 Call Trace: 0xc1421660 (unreliable) ata_qc_issue+0x14c/0x2d4 __ata_scsi_queuecmd+0x200/0x53c ata_scsi_queuecmd+0x50/0xe0 scsi_queue_rq+0x788/0xb1c __blk_mq_issue_directly+0x58/0xf4 blk_mq_plug_issue_direct+0x8c/0x1b4 blk_mq_flush_plug_list.part.0+0x584/0x5e0 __blk_flush_plug+0xf8/0x194 __submit_bio+0x1b8/0x2e0 submit_bio_noacct_nocheck+0x230/0x304 btrfs_work_helper+0x200/0x338 process_one_work+0x1a8/0x338 worker_thread+0x364/0x4c0 kthread+0x100/0x104 start_kernel_thread+0x10/0x14
That commit increased max_segment_size to 64KB, with the justification that the SCSI core was already using that size when PAGE_SIZE == 64KB, and that there was existing logic to split over-sized requests.
However with a sufficiently large request, the splitting logic causes each sg to be split into two commands in the DMA table, leading to overflow of the DMA table, triggering the BUG_ON().
With default settings the bug doesn't trigger, because the request size is limited by max_sectors_kb == 1280, however max_sectors_kb can be increased, and apparently some distros do that by default using udev rules.
Fix the bug for 4KB kernels by reverting to the old max_segment_size.
For 64KB kernels the sg_tablesize needs to be halved, to allow for the possibility that each sg will be split into two.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/11/2024
The vulnerability CVE-2024-44976 represents a critical issue within the Linux kernel's ata subsystem, specifically affecting PowerMac systems running 32-bit architectures. This flaw manifests in the pata_macio driver which handles parallel ata interfaces on macintosh hardware. The vulnerability stems from an improper handling of DMA table management during request processing, leading to kernel crashes and system instability. The issue was introduced in commit 09fe2bfa6b83 which attempted to address segment size limitations by increasing max_segment_size to 64KB, a change designed to align with SCSI core behavior when PAGE_SIZE equals 64KB. However, this modification created a fundamental flaw in the splitting logic that processes scatter-gather lists for large data transfers.
The technical implementation of this vulnerability involves the interaction between the ata subsystem and the DMA table management within the kernel's memory management subsystem. When large requests exceed the configured limits, the existing splitting logic attempts to break these requests into smaller segments that can be handled by the hardware. However, under certain conditions where each scatter-gather entry gets split into two commands within the DMA table, the table overflows beyond its allocated capacity. This overflow triggers a BUG_ON() macro in the drivers/ata/pata_macio.c file at line 544, causing immediate kernel panic and system crash. The issue specifically affects systems where PAGE_SIZE is set to 4KB, though the fix also addresses the 64KB PAGE_SIZE scenario through different mitigation approaches.
The operational impact of CVE-2024-44976 is severe for affected PowerMac systems, particularly those running 32-bit kernels where the vulnerability can be triggered through normal disk I/O operations. Systems utilizing default kernel configurations remain unaffected due to the max_sectors_kb limit of 1280KB, but distributions that modify this parameter through udev rules or custom configurations expose their systems to potential crashes. The vulnerability affects any application or service that performs large disk I/O operations, including database servers, file servers, and backup applications. The crash occurs in kernel mode with a SIGSEGV signal, making it impossible for the system to recover without manual intervention, resulting in complete system downtime and potential data loss.
The mitigation strategy for this vulnerability requires careful consideration of the kernel's memory management parameters and hardware-specific configurations. For 4KB page systems, the fix involves reverting to the original max_segment_size value that was functional before the problematic commit. For 64KB page systems, the solution requires halving the sg_tablesize parameter to accommodate the potential doubling of DMA table entries when scatter-gather lists are split. This fix aligns with the established security principles of maintaining memory safety boundaries and preventing buffer overflows that could be exploited by malicious actors. The vulnerability demonstrates the importance of thorough testing across different hardware configurations and kernel parameter combinations, as changes to memory management parameters can have cascading effects throughout the kernel subsystems. Organizations should review their system configurations and udev rules to ensure they haven't inadvertently modified max_sectors_kb values that could trigger this condition. The fix addresses the underlying CWE-129 weakness related to improper handling of buffer sizes and the CWE-787 weakness concerning out-of-bounds write operations that could be exploited to gain unauthorized system access or cause denial of service conditions.