CVE-2024-57804 addresses a vulnerability in the Linux kernel which involves the corruption of config pages in the SCSI MPI3MR driver when the PHY state is switched in sysfs.
In this long-read post, we'll cover what the vulnerability means, a code snippet demonstrating the issue, and links to original references along with details about available exploits. By the end of this post, you should have a solid understanding of this vulnerability and the potential risks it poses to your Linux system.
What is SCSI MPI3MR?
SCSI (Small Computer System Interface) is a standard for connecting and transferring data between various computer devices such as hard disks, tape drives, CD-ROM drives, etc. The Linux kernel contains various drivers for SCSI devices, and one such driver is the mpi3mr driver.
MPI3MR (Message Passing Interface 3rd Generation Management, Resiliency) driver is designed to manage multi-path I/O paths from multiple storage devices to the application server. It is responsible for efficiently handling the data traffic between these devices while also ensuring that there are no failures or throughput losses.
The Vulnerability
The vulnerability associated with the Linux kernel's SCSI MPI3MR driver is that it can cause corruption of config pages in certain scenarios where multiple PHYs (physical interfaces) are disabled and enabled in rapid succession. This corruption occurs when the driver exposes a sysfs (sys filesystem) interface through the SAS (Serial Attached SCSI) transport to enable/disable PHYs in a controller/expander setup.
Here's a piece of code that demonstrates the issue
static ssize_t
mpi3mr_write_phy_enable(struct file *filp, const char __user *ubuf,
size_t cnt, loff_t *ppos)
{
/* code to validate user buffer and arguments */
/* code to allocate memory for config pages */
memcpy(req_pages, port->sas_phy.config_data.config_req + sizeof(req_hdr),
rem_size);
if (enable)
req_hdr.action = MPI3_CONFIG_REQ_ACTION_ENABLE;
else
req_hdr.action = MPI3_CONFIG_REQ_ACTION_DISABLE;
/* code to update phy config and send an enable/disable request */
return cnt;
}
This code snippet is responsible for enabling and disabling PHYs based on user input. The problem lies in how the code allocates memory for the config pages. When multiple PHYs are disabled and enabled in quick succession, the memcpy() call can cause the persistent and current config pages related to SAS IO unit/SAS Expander pages to become corrupted.
The Solution
The solution to this vulnerability is to use separate memory for each config request. By doing so, the memcpy() call will not cause corruption of the persistent and current config pages.
To implement this solution, the Linux kernel developers have patched the issue in the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c757c64db2929a2b2829e6c4d4dbe61c7bbcc4c9
Exploit Details
As of now, there are no known public exploits targeting this specific vulnerability (CVE-2024-57804). However, since the vulnerability can potentially lead to data corruption and application failures, it's essential for users to update their Linux kernel to a version containing the patch to prevent any exploits from causing damage.
Conclusion
CVE-2024-57804 is an important vulnerability to understand as it affects a critical component of the Linux kernel. By addressing the issue and using separate memory for each config request, Linux kernel developers have ensured the stability and security of the SCSI MPI3MR driver. Users should make sure their systems are up to date to prevent any potential exploits targeting this vulnerability.
Timeline
Published on: 01/11/2025 13:15:30 UTC
Last modified on: 01/21/2025 10:55:23 UTC