A vulnerability in the Linux kernel has been resolved that affects systems using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y). The issue is related to the initialisation of the restricted pool list_head while SWIOTLB_DYNAMIC=y, leading to a crash during boot-time.
The following code snippet demonstrates the crash that occurs when attempting to initialise the restricted pools at boot-time:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
| Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
| pc : rmem_swiotlb_device_init+xfc/x1ec
| lr : rmem_swiotlb_device_init+xf/x1ec
| Call trace:
| rmem_swiotlb_device_init+xfc/x1ec
| of_reserved_mem_device_init_by_idx+x18c/x238
| of_dma_configure_id+x31c/x33c
| platform_dma_configure+x34/x80
Upon further analysis using addr2line, the crash was found to occur in the list validation code
include/linux/list.h:83
include/linux/rculist.h:79
include/linux/rculist.h:106
kernel/dma/swiotlb.c:306
kernel/dma/swiotlb.c:1695
This issue arises due to add_mem_pool() attempting to list_add_rcu() to a NULL 'mem->pools'. In simpler terms, a NULL pointer dereference problem causes a crash when attempting to access and initialise the 'mem->pools'.
The fix for this vulnerability involves initialising the 'mem->pools' list_head in the rmem_swiotlb_device_init() function before calling add_mem_pool().
For more details regarding this vulnerability and the steps undertaken to resolve it, you can refer to the original references below:
- Linux Kernel Mailing List - Patch Resolving CVE-2024-36925
- Linux Kernel Git Commit - Resolving CVE-2024-36925
In conclusion, CVE-2024-36925 demonstrates a vulnerability in the Linux kernel when using restricted DMA pools together with dynamic SWIOTLB. The issue can lead to a crash at boot-time and is caused by a NULL pointer dereference while attempting to access the 'mem->pools'. The fix addresses this issue by initialising the list_head for 'mem->pools' in the appropriate function before calling add_mem_pool(). Make sure to update the Linux kernel to a patched version that addresses this vulnerability to keep your system secure.
Timeline
Published on: 05/30/2024 16:15:15 UTC
Last modified on: 06/10/2024 19:21:01 UTC