CVE-2024-44971 - Fixing Linux Kernel Memory Leak in bcm_sf2_mdio_register()

Recently, a vulnerability (CVE-2024-44971) within the Linux kernel has come to light. It is related to memory leaks in the bcm_sf2_mdio_register() function, which is part of the Broadcom Switch Fabric driver (bcm_sf2.c) in the Linux kernel. This post will discuss the vulnerability, go over the exploit details, and provide a code snippet illustrating the solution.

Background

The Linux kernel contains various device drivers to support a range of hardware devices, including networking chips. Broadcom is a prominent manufacturer of these networking chips, and their Switch Fabric driver is among the drivers included in the Linux kernel.

Vulnerability

The vulnerability exists in the net: dsa: bcm_sf2: bcm_sf2_mdio_register() function, which is responsible for registering and removing PHY devices (physical layer transceivers) during system initialization.

The original code would call the of_phy_find_device() function, followed by the phy_device_remove() function in a loop to find and remove existing PHY devices. The of_phy_find_device() function internally calls the bus_find_device() function, which increments the refcount (reference count) of the returned struct device.

However, the original implementation did not decrement the refcount, causing a memory leak during this process. This would only happen when multiple PHY devices are being registered and removed.

Exploit Details

An attacker could potentially exploit this memory leak to exhaust system memory and cause a denial-of-service (DoS) condition. The attacker would need access to the kernel and a specific configuration of the system which includes the leaking devices. In such a scenario, the attacker could repeatedly trigger the function, causing the memory leak, and ultimately exhaust system memory.

Resolution

To fix this vulnerability, the Linux kernel developers added a missing call to phy_device_free() function to decrement the refcount within the loop, balancing the refcount and preventing memory leak.

Code Snippet

static int bcm_sf2_mdio_register(struct bcm_sf2_priv *priv, int master_mii_bus)
{
    ...
    list_for_each_entry(np, &ds->dn->child, sibling) {
        ...
        phy = of_phy_find_device(np);
        ...
        if (ret != -EPROBE_DEFER && !IS_ERR(phy)) {
            /* Remove this PHY device to force its
             * re-registration with fixed PHY ID
             */
            phy_device_remove(phy);
            phy_device_free(phy); // <-- This line was added to fix the memory leak issue
        }
    }
    ...
}

Conclusion

This vulnerability highlights the importance of proper resource management in software development. Developers should be diligent in managing resource allocation and deallocation to avoid potential memory leaks. The Linux kernel community has fixed this issue in the upstream kernel, and the patches have been applied to various Linux distributions.

Original References

- Linux Kernel git commit
- Broadcom Switch Fabric driver documentation
- phy_device_free() function documentation

Timeline

Published on: 09/04/2024 19:15:31 UTC
Last modified on: 09/05/2024 17:54:36 UTC