A significant vulnerability has been resolved in the Linux kernel concerning a possible memory leak in the SCSI subsystem, more specifically in the function qedf_alloc_and_init_sb(). This post will detail the vulnerability classified as CVE-2024-56748, providing code snippets, links to original references, and exploit details to better understand how the vulnerability works, its implications, and the steps taken to mitigate it.

Vulnerability details

The vulnerability lies in the Linux kernel's SCSI subsystem, in the qedf driver, which allows secure communication with remote servers across various I/O protocols. The issue is found in the qedf_alloc_and_init_sb() function, where the hook "qed_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. This failure leads to a possible memory leak, which could exhaust system memory, leading to a lack of resources available, causing a potential system crash or other unintended consequences.

Here's a code snippet of the affected part of the qedf_alloc_and_init_sb() function

static int qedf_alloc_and_init_sb(struct qedf_ctx *qedf, u16 num_sb)
{
       ...
       rc = qed_ops->common->sb_init(&qedf->cdev, qedf->sb_info[index].sb_virt,
                                      qedf->sb_info[index].sb_phys,
                                      qedf->sb_info[index].hw_sb);
       if (rc) {
               QEDF_ERR(&(qedf->dbg_ctx), "Failed to initialize SB\n");
               goto err_out;
       }
       ...
    err_out:
       ...
}

Fix details

The fix for this vulnerability is to add a dma_free_coherent() call to free the DMA memory when qed_sb_init fails. The same solution is already being implemented in other related functions, such as qedr_alloc_mem_sb() and qede_alloc_mem_sb(). The updated code snippet with the implemented fix should look like this:

static int qedf_alloc_and_init_sb(struct qedf_ctx *qedf, u16 num_sb)
{
       ...
       rc = qed_ops->common->sb_init(&qedf->cdev, qedf->sb_info[index].sb_virt,
                                      qedf->sb_info[index].sb_phys,
                                      qedf->sb_info[index].hw_sb);
       if (rc) {
               QEDF_ERR(&(qedf->dbg_ctx), "Failed to initialize SB\n");
               dma_free_coherent(&qedf->pdev->dev, sizeof(*sb_virt),
                                 qedf->sb_info[index].sb_virt,
                                 qedf->sb_info[index].sb_phys);
               goto err_out;
       }
       ...
    err_out:
       ...
}

To further investigate this issue and the fix, you can refer to the following resources

1. Linux kernel Git repository commit for the fix: link
2. Official Linux Kernel Mailing List announcement: link
3. Official CVE description: link

In conclusion, the vulnerability CVE-2024-56748 in the Linux kernel's SCSI subsystem has been addressed by an appropriate fix. The update ensures that the DMA memory is released when the qed_sb_init function fails, preventing the potential memory leak and its associated security risks. Users are encouraged to apply the patch as soon as possible to maintain the integrity and stability of their systems.

Timeline

Published on: 12/29/2024 12:15:08 UTC
Last modified on: 01/06/2025 17:07:33 UTC