Researchers uncovered a vulnerability in the Linux kernel’s dmam_free_coherent() function, which stems from a race condition caused by the improper order of operations when freeing DMA (Direct Memory Access) allocations and managing associated resources.
This vulnerability can lead to system instabilities and malfunctions, as DMA is crucial for allowing hardware devices to transfer data directly to and from system memory without CPU involvement.
Exploiting a vulnerability like the one in the dmam_free_coherent() function in the Linux kernel typically involves taking advantage of a race condition; attackers create a scenario where the race condition can be triggered.
DMA is a critical mechanism that allows hardware devices to transfer data directly to and from the system’s memory without involving the CPU, thus improving performance. A bug in this process could result in incorrect memory access, leading to data corruption, unexpected behavior, or crashes.
The dmam_free_coherent the function is responsible for freeing a DMA allocation and removing the associated data structure used to track the allocation.
An attacker might attempt to exploit the race condition by carefully timing their operations to coincide with the freeing and reallocation of DMA memory.
If this scenario occurs, the devres_destroy function might free the wrong entry, triggering a WARN_ON assertion in the dmam_match function.
The dmam_match function is typically part of the Direct Memory Access (DMA) management subsystem in the Linux kernel.
“If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match.”
This order of operations could lead to a race condition where a concurrent task allocates memory with the same virtual address and adds it to the tracking list before the original entry is removed.
According to the report, “dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list.”
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
The Patch – CVE-2024-43856
Greg Kroah-Hartman committed a new patch for the Linux kernel vulnerability (CVE-2024-43856), which aims to address a potential bug in the handling of DMA (Direct Memory Access) allocations.
The patch, authored by Lance Richardson from Google, modifies the dmam_free_coherent function to prevent possible issues when freeing and reallocating DMA memory.
Richardson’s patch addresses this issue by simply swapping the order of the function calls. The patch ensures that the tracking data structure is destroyed using devres_destroy before the DMA allocation is freed with dma_free_coherent. This change prevents the possibility of a concurrent task interfering with the cleanup process.
The patch has been tested on Google’s internal “kokonut” network encryption project and has been signed off by Christoph Hellwig and Sasha Levin, indicating its readiness for inclusion in the mainline Linux kernel.
While the dmam_free_coherent() vulnerability involves a race condition in resource management, exploiting it to write arbitrary data into CPU memory would be complex and highly dependent on specific system configurations and additional vulnerabilities. Attackers would need to combine this with other weaknesses or have precise control over the system to achieve such an outcome.
As the Linux kernel continues to evolve and power a vast array of devices, patches like this one demonstrate the ongoing efforts of the developer community to identify and rectify potential bugs, ensuring a more stable and reliable operating system for users worldwide.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot