Linux is the backbone of modern computing, but even the strongest foundations can have cracks. In early 2024, a vulnerability surfaced that could lead to serious system crashes—CVE-2023-52492, a bug in the Linux kernel’s DMA (Direct Memory Access) engine subsystem. Let's break down what happened, how it was fixed, and why it matters.
What is CVE-2023-52492?
CVE-2023-52492 is a null pointer dereference vulnerability found in the Linux kernel’s DMA Engine, specifically in the code that manages DMA channels’ registration and unregistration. When certain error handling code misses necessary checks, the kernel could try to free or use memory that’s already been set to NULL. This causes crashes (kernel panic), jeopardizing system stability—even at boot.
__dma_async_device_channel_unregister() (handles channel unregistration)
When registering a DMA channel fails, it frees (deallocates) some memory and sets the pointer to NULL. But, during unregistration, the code didn’t check if the pointer was still valid—leading to a null pointer dereference.
A system with the bug might show kernel logs like
[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d
...
[ 1.484499] Call trace:
[ 1.486930] device_del+x40/x394
[ 1.490314] device_unregister+x20/x7c
[ 1.494220] __dma_async_device_channel_unregister+x68/xc
This means the kernel tried to access or free memory at address x—which isn’t allowed.
Why Does this Matter?
DMA controllers are critical components, used by drivers to move data efficiently between memory and devices (like storage or network cards). If the registration or de-registration gets botched, any device depending on DMA may fail, freeze, or cause unpredictable errors. In edge cases, this could even be a vector for denial-of-service attacks.
Vulnerable Function
int __dma_async_device_channel_register(struct dma_device *device, struct dma_chan *chan) {
chan->local = alloc_percpu(...);
if (!chan->local) {
// Registration failed
free_percpu(chan->local);
chan->local = NULL;
return -ENOMEM;
}
// ... normal registration steps
return ;
}
When registration fails, chan->local is set to NULL. However, during unregistration
void __dma_async_device_channel_unregister(struct dma_chan *chan) {
// ... code that uses chan->local without checking if it's NULL
free_percpu(chan->local); // Potential NULL pointer dereference
}
Problem: If the registration failed earlier, chan->local is NULL. Freeing or accessing it here crashes the kernel.
The maintainers added a simple, crucial check at the start
void __dma_async_device_channel_unregister(struct dma_chan *chan) {
if (!chan->local)
return; // Don't try to unregister if the local data isn't allocated
// ... safe to continue
free_percpu(chan->local);
}
Now, if registration failed (chan->local == NULL), unregistration is immediately skipped, preventing any crashes.
How to Check or Patch Your Kernel
Patched kernels: The fix has been merged into mainline and stable Linux branches as of early 2024.
Check your kernel source: Look for the updated __dma_async_device_channel_unregister function.
- Update your system: If you run a Linux distro (especially on servers or embedded systems), make sure you’re running a kernel from after January 2024 with the relevant stable updates.
Proof of Concept & Exploit Potential
While this bug is a local denial-of-service (DoS) rather than a privilege escalation or remote exploit, a user with access to DMA APIs could intentionally provoke the condition:
Example Steps
1. Write a kernel module or driver that registers a DMA channel and forces registration to fail (simulate lack of memory).
Subsequently call unregistration code, leading to a NULL pointer dereference and system crash.
*Note*: Kernel panics from such bugs are disruptive, making such vulnerabilities high-priority for stability.
Original Patch on kernel.org:
dmaengine: fix NULL pointer in channel unregistration function
CVE Details Page:
Linux changelog with patch discussion:
Timeline
Published on: 03/11/2024 18:15:16 UTC
Last modified on: 11/06/2024 19:35:03 UTC