CVE-2023-52492 - Resolving Linux Kernel Vulnerability: NULL Pointer in DMA Channel Unregistration Function
A vulnerability in the Linux kernel has been resolved regarding a NULL pointer in the DMA engine channel unregistration function. This blog post will discuss the details of this vulnerability, the original references, and provide code snippets related to the fix applied.
Vulnerability (CVE-2023-52492)
The vulnerability discovered in dmaengine affects the __dma_async_device_channel_register() function that can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local becomes NULL. The problem occurs when dma_async_device_unregister() is called (because of managed API or intentionally by the DMA controller driver) and channels are unconditionally unregistered, leading to the NULL pointer issue:
[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d
[...]
[ 1.484499] Call trace:
[ 1.486930] device_del+x40/x394
[ 1.490314] device_unregister+x20/x7c
[ 1.494220] __dma_async_device_channel_unregister+x68/xc
Solution
To address this vulnerability, the condition to check if chan->local is not NULL has been added at the beginning of the __dma_async_device_channel_unregister() function, avoiding the NULL pointer issue regardless of the API used to reach this function.
The required change in the code is as follows
void *__dma_async_device_channel_unregister(struct dma_chan *chan)
{
if (!chan->local)
return NULL;
// ... rest of the code
}
Original References
The issue was addressed in this commit on GitHub: dmaengine: fix NULL pointer in channel unregistration function
For further information, you can also review the Linux kernel mailing list's post on this issue: [PATCH v2] dmaengine: fix NULL pointer in channel unregistration function](https://patchwork.kernel.org/project/linux-dmaengine/patch/008d686fbeffd22e8947a9fc9f1a7bbec88298a8@gemini.mail.kate/actions.changes/).
Conclusion
In conclusion, CVE-2023-52492 is a vulnerability found in the Linux kernel regarding a NULL pointer in the DMA engine channel unregistration function. The vulnerability can be fixed by adding proper condition checks to ensure that chan->local is not NULL before proceeding with the unregistration process. This post has provided code snippets and original references for the vulnerability and its resolution, allowing developers to better understand the issue and apply the fix accordingly.
Timeline
Published on: 03/11/2024 18:15:16 UTC
Last modified on: 11/06/2024 19:35:03 UTC