CVE-2024-36925 - Linux Kernel Vulnerability Resolved: SWIOTLB Initialisation for Restricted Pool when SWIOTLB_DYNAMIC=y

A vulnerability in the Linux kernel has been resolved that affects systems using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y). The issue is related to the initialisation of the restricted pool list_head while SWIOTLB_DYNAMIC=y, leading to a crash during boot-time.

The following code snippet demonstrates the crash that occurs when attempting to initialise the restricted pools at boot-time:

  | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
  | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
  | pc : rmem_swiotlb_device_init+xfc/x1ec
  | lr : rmem_swiotlb_device_init+xf/x1ec
  | Call trace:
  |  rmem_swiotlb_device_init+xfc/x1ec
  |  of_reserved_mem_device_init_by_idx+x18c/x238
  |  of_dma_configure_id+x31c/x33c
  |  platform_dma_configure+x34/x80

Upon further analysis using addr2line, the crash was found to occur in the list validation code

  include/linux/list.h:83
  include/linux/rculist.h:79
  include/linux/rculist.h:106
  kernel/dma/swiotlb.c:306
  kernel/dma/swiotlb.c:1695

This issue arises due to add_mem_pool() attempting to list_add_rcu() to a NULL 'mem->pools'. In simpler terms, a NULL pointer dereference problem causes a crash when attempting to access and initialise the 'mem->pools'.

The fix for this vulnerability involves initialising the 'mem->pools' list_head in the rmem_swiotlb_device_init() function before calling add_mem_pool().

For more details regarding this vulnerability and the steps undertaken to resolve it, you can refer to the original references below:

- Linux Kernel Mailing List - Patch Resolving CVE-2024-36925
- Linux Kernel Git Commit - Resolving CVE-2024-36925

In conclusion, CVE-2024-36925 demonstrates a vulnerability in the Linux kernel when using restricted DMA pools together with dynamic SWIOTLB. The issue can lead to a crash at boot-time and is caused by a NULL pointer dereference while attempting to access the 'mem->pools'. The fix addresses this issue by initialising the list_head for 'mem->pools' in the appropriate function before calling add_mem_pool(). Make sure to update the Linux kernel to a patched version that addresses this vulnerability to keep your system secure.

Timeline

Published on: 05/30/2024 16:15:15 UTC
Last modified on: 06/10/2024 19:21:01 UTC