CVE-2024-42282 - Linux Kernel Vulnerability Resolved in Mediatek's net_device Handling

The Linux kernel developers have recently addressed a vulnerability in the Mediatek network device handling, specifically dealing with potential NULL pointer dereferences. This post provides an in-depth explanation of the vulnerability, its solution, and the associated code changes.

Vulnerability Exploit Details

In the Linux kernel's codebase, a vulnerability has been identified in the Mediatek network driver's dummy net_device handling. The issue arises when the allocation of a dummy net_device fails in the mtk_probe() function. If this happens, the dummy_dev pointer remains NULL, and subsequent calls to the mtk_free_dev() function would attempt to free this unallocated memory, leading to a NULL pointer dereference.

This bug has the potential to cause unpredictable behavior, crashes, and memory corruption in the affected kernel. Smatch, a powerful static analysis tool for C code, discovered this vulnerability and reported it on their mailing list [1].

Code Changes and Solution

To fix the vulnerability, the developers moved the freeing of the dummy net_device from the mtk_free_dev() function to the mtk_remove() function. Here's the original code snippet illustrating the issue:

static int mtk_probe(struct platform_device *pdev)
{
    // ...
    
    eth->dummy_dev = alloc_netdev_dummy();
    if (!eth->dummy_dev) {
        // Error handling
        goto free_dev;
    }
    
    // ...

free_dev:
    mtk_free_dev(eth);
    // ...
}

The problematic piece of the code was the call to mtk_free_dev() in the error handling section. The solution involved moving the free_netdev() call to the mtk_remove() function, ensuring that it is only called when mtk_probe() has succeeded, and the dummy_dev is fully allocated.

Here's the modified code snippet with the fix applied

diff --git a/net/mediatek/mtk_main.c b/net/mediatek/mtk_main.c
index xxxxxxx..xxxxxxx 100644
--- a/net/mediatek/mtk_main.c
+++ b/net/mediatek/mtk_main.c
@@ -484,6 +484,7 @@ static int mtk_remove(struct platform_device *pdev)
 {
 	struct mtk_eth *eth = platform_get_drvdata(pdev);

+	free_netdev(eth->dummy_dev);
 	mtk_free_dev(eth);
 	return ;
 }

With the fix in place, any potential NULL pointer dereferences should be avoided, ensuring that the kernel maintains stability and memory safety.

Original References

For more details on the original vulnerability report and discussion, please refer to the following links:

1. Smatch mailing list discussing the identified vulnerability: https://lore.kernel.org/netdev/20211019013642.GA51392@elver-google.com/

This vulnerability fix is an essential step in improving the stability and security of the Linux kernel. Through the ongoing efforts of developers and researchers, we can continue to enhance the kernel's reliability and address security issues as they arise.

Timeline

Published on: 08/17/2024 09:15:09 UTC
Last modified on: 08/19/2024 19:53:45 UTC