CVE-2024-57800: Resolved Linux kernel vulnerability - ALSA memalloc issue with DMA API Debug

In the Linux kernel, a recently resolved vulnerability has been identified within the Advanced Linux Sound Architecture (ALSA) subsystem, specifically with the memalloc function. The issue becomes apparent when the CONFIG_DMA_API_DEBUG option is enabled, causing a warning message related to device driver failing to check map errors.

Vulnerability Details

The vulnerability lies in the improper handling of returned DMA addresses, which necessitates the use of the dma_mapping_error() function. As per the Linux Kernel Documentation (core-api/dma-api.rst), this function is designed for this exact purpose, ensuring that DMA mapping errors can be detected and managed properly.

Exploit

The exploit becomes apparent when the kernel is running with CONFIG_DMA_API_DEBUG enabled, and the following warning message is observed in the output logs:

DMA-API: snd_hda_intel 000:03:00.1: device driver failed to check map error[device address=x00000000ffff000] [size=20480 bytes] [mapped as single]
WARNING: CPU: 28 PID: 2255 at kernel/dma/debug.c:1036 check_unmap+x1408/x243
CPU: 28 UID: 42 PID: 2255 Comm: wireplumber Tainted: G  W L  6.12.-10-133577cad6bf48e5a7848c4338124081393bfe8a+ #759
debug_dma_unmap_page+xe9/xf
snd_dma_wc_free+x85/x130 [snd_pcm]
snd_pcm_lib_free_pages+x1e3/x440 [snd_pcm]
snd_pcm_common_ioctl+x1c9a/x296 [snd_pcm]
snd_pcm_ioctl+x6a/xc [snd_pcm]
...

Developers must implement the dma_mapping_error() helper function as demonstrated below

static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr) {
    #ifdef CONFIG_DMA_API_DEBUG
        return debug_dma_mapping_error(dev, dma_addr);
    #else
        return dma_mapping_error(dev, dma_addr);
    #endif
}

With this change implemented, the vulnerability should no longer be present, and the kernel can handle DMA mapping errors in a more secure manner.

Original References

1. Linux Kernel Documentation - DMA-API: https://www.kernel.org/doc/html/latest/core-api/dma-api.html?highlight=dma_mapping_error
2. Kernel Git Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=133577cad6bf48e5a7848c4338124081393bfe8a

In conclusion, the resolved Linux kernel vulnerability, CVE-2024-57800, addresses an issue within the ALSA memalloc function by ensuring proper use of the dma_mapping_error() function. This ensures that DMA mapping errors can be detected and managed in a more secure manner, preventing potential exploits. Please refer to the provided links and code snippets for further information on the issue and the solution that has been implemented.

Timeline

Published on: 01/11/2025 13:15:30 UTC
Last modified on: 01/20/2025 06:28:19 UTC