CVE-2024-26975: Fixing a NULL Pointer Dereference in Linux Kernel's Powercap Module

A recent vulnerability has been discovered and resolved within the Linux kernel concerning the powercap:intel_rapl module. In this post, we will explore the specifics of the vulnerability as it pertains to the NULL pointer dereference and the necessary fix to address this issue. Additionally, we will provide a code snippet covering the essential aspects of the solution and links to the original references for those seeking more information.

Vulnerability Details

The vulnerability identified within the Linux kernel is specific to the powercap:intel_rapl module, which manages and regulates power usage for CPUs. A NULL pointer dereference is triggered when attempting to probe the MMIO RAPL (Runtime Average Power Limiting) driver on platforms with a CPU ID that is not listed in the intel_rapl_common module's CPU model list.

This issue arises because the intel_rapl_common module continues to probe on such platforms, even if the 'defaults_msr' value is not set according to the aforementioned intel_rapl_common CPU model list. As a result, the MMIO RAPL rp->priv->defaults value will be NULL when registering the RAPL framework, ultimately leading to the NULL pointer dereference.

Exploit Details

The exploitation of this vulnerability could be leveraged by an attacker to cause a denial of service, specifically regarding the power management functionality of affected systems. As the issue revolves around a NULL pointer dereference, a crash or unexpected behavior could arise when the code attempts to access a NULL reference.

Fix Details

To resolve this issue, a sanity check must be added to ensure that the rp->priv->rapl_defaults value is always valid. Below is a code snippet illustrating this check:

if (!rp->priv->rapl_defaults) {
    pr_err("Invalid RAPL defaults, not probing MMIO RAPL\n");
    return -ENODEV;
}

By implementing this check, the code will ensure that the rp->priv->rapl_defaults value is indeed valid before continuing further. This fix will prevent the NULL pointer dereference from occurring and maintain the stability of the affected systems.

Linux kernel git commit for the fix

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a53872bf4d2a21cf6ef81d845c7b124073d31e7d

Linux kernel mailing list discussion about the patch

https://lore.kernel.org/lkml/1621943834-3319-1-git-send-email-hdanton@sina.com/

Conclusion

In summary, the CVE-2024-26975 vulnerability within the Linux kernel's powercap:intel_rapl module has been successfully resolved with the implementation of a sanity check. This fix ensures the validity of the rp->priv->rapl_defaults value, thereby preventing NULL pointer dereferences and potential denial of service attacks. It is recommended that all affected systems receive the necessary patches and updates to maintain security and stability.

Timeline

Published on: 05/01/2024 06:15:14 UTC
Last modified on: 12/23/2024 14:02:46 UTC