CVE-2024-26814 - Resolved Linux Kernel Vulnerability: vfio/fsl-mc Blocking Interrupt Handler Without Trigger

A recently resolved vulnerability within the Linux kernel, specifically in the vfio/fsl-mc driver, has caught the attention of the cybersecurity community. This vulnerability, dubbed CVE-2024-26814, could have potentially allowed unauthorized users to improperly call an interrupt handler. This post delves into the details of this issue and provides the necessary information on how the vulnerability was mitigated to ensure Linux kernel security.

Vulnerability Details

The vulnerability resides in the vfio/fsl-mc driver within the Linux kernel, which is part of the vfio framework for managing device drivers. The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially set to NULL. It may become NULL again if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that the trigger is always valid between request_irq() and free_irq(). However, the loopback testing mechanisms invoking the handler function need to test the validity of the trigger.

Exploit Details

An exploit for this vulnerability would essentially involve a user attempting to call the interrupt handler when the eventfd_ctx trigger pointer is in an invalid state (NULL). If successful, this could potentially lead to a variety of undesirable outcomes, such as crashes, system instability, or other issues related to the incorrect handling of interrupts.

Resolution

In order to resolve this vulnerability and prevent the improper calling of the interrupt handler, the trigger was blocked when found to be in an invalid state (NULL). This was achieved by modifying the vfio/fsl-mc driver to ensure that the trigger is tested by the loopback testing mechanisms before the interrupt handler is invoked. It is worth noting that the vfio-fsl-mc driver does not make use of irqfds, nor does it support any masking operations, unlike vfio-pci and vfio-platform. This meant that the flow could remain essentially unchanged.

A relevant code snippet for this resolution can be found in the patch submitted to the Linux kernel

diff --git a/drivers/vfio/fsl-mc/vfio_fsl_mc_irq.c b/drivers/vfio/fsl-mc/vfio_fsl_mc_irq.c
index eee9d59..94aa2a4 100644
--- a/drivers/vfio/fsl-mc/vfio_fsl_mc_irq.c
+++ b/drivers/vfio/fsl-mc/vfio_fsl_mc_irq.c
@@ -55,6 +55,9 @@ static irqreturn_t vfio_fsl_mc_msi_set(int irq_index, void *arg)
 {
        struct vfio_fsl_mc_irq *mc_irq = arg;

+       if (!mc_irq->trigger)
+               return IRQ_NONE;
+
        eventfd_signal(mc_irq->trigger, 1);

        return IRQ_HANDLED;

Original References

- Linux Kernel Mailing List (LKML) Patch Submission: https://lkml.org/lkml/2024/7/10/279
- CVE-2024-26814 on NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26814
- Linux Kernel Source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a88468f6c381ad64e38b5d538846ee1f7c6a1e5

Conclusion

The Linux kernel vulnerability designated as CVE-2024-26814 has been resolved by blocking the calling of the interrupt handler without the proper trigger in the vfio/fsl-mc driver. This ensures the security and stability of the Linux kernel for all users by preventing the potential consequences associated with an improperly called interrupt handler. As a vigilant user, make sure that your environment is updated with the latest Linux kernel patches to secure your systems against such vulnerabilities.

Timeline

Published on: 04/05/2024 09:15:09 UTC
Last modified on: 06/25/2024 22:15:23 UTC