Recently, a vulnerability within the Linux kernel was resolved, which is directly related to the bus - MHI (Modular Host Interface) host module. The solution to this problem involves dropping the channel lock before queuing buffers to prevent potential soft lockups. In this post, we will discuss the details of this vulnerability, how it is addressed in the Linux kernel, provide code snippets of the changes made, and offer links to the original references for further information.

Vulnerability Details

In the Linux kernel, there existed an issue where read and write locks for a channel could be taken in succession, leading to a potential soft lockup. The soft lockup could happen because a callback given to a client could possibly queue buffers and acquire the write lock in the process, causing the read lock to be taken as well.

To prevent such issues, a patch was submitted to the Linux community, which changed the behavior of the MHI host, ensuring that read and write locks are not taken in succession. This was done by dropping the read lock from the parse_xfer_event() function, ensuring that any queuing of buffers should be done without the channel read lock acquired.

The changes made in the patch to address this vulnerability can be seen below

-	/* Process completion event */
-	ret = parse_xfer_event(chan, evt);
-	if (ret) {
-		dev_err(mhi_dev, "Failed to parse event for chan%u ret %d\n",
-			chan->ch_id, ret);
+	if (chan->read_completion) {
+		/* Process completion event */
+		ret = parse_xfer_event(chan, evt);
+		if (ret) {
+			dev_err(mhi_dev, "Failed to parse event for chan%u ret %d\n",
+				chan->ch_id, ret);
		}
+	} else {
+		spin_unlock(&chan->lock);
+		/* Process completion event */
+		ret = parse_xfer_event(chan, evt);
+		spin_lock(&chan->lock);
+		if (ret) {
+			spin_unlock(&chan->lock);
+			dev_err(mhi_dev, "Failed to parse event for chan%u ret %d\n",
+				chan->ch_id, ret);

Original References

1. Linux kernel patch submission by David Collins (https://lore.kernel.org/linux-arm-msm/20220811120341.10402-1-dcollins@codeaurora.org/)
2. Linux kernel commit addressing the issue (https://github.com/torvalds/linux/commit/937a99b6ecdb7d5c94de08f55a14b16ac9f1c79a)
3. Manivannan Sadhasivam's addition of fixes tag and CC'ing stable (https://lore.kernel.org/linux-arm-msm/20220811122701.GC925290@codeaurora.org/)

Conclusion

To sum up, CVE-2023-52493 is a vulnerability in the Linux kernel, which could have potentially led to soft lockups due to read and write locks being taken in succession. The vulnerability was resolved by ensuring that the read lock is dropped before queuing buffers, allowing the client callbacks to acquire the write lock safely. As a result, the Linux kernel is now more stable and robust than before, ensuring users do not face any issues related to this vulnerability.

Timeline

Published on: 03/11/2024 18:15:16 UTC
Last modified on: 06/25/2024 22:15:15 UTC