CVE-2024-26618 - Critical Linux Kernel Vulnerability Resolved: arm64/sme Storage Allocation Issue

Recently, a critical vulnerability, identified as CVE-2024-26618, has been discovered and resolved in the Linux kernel. This vulnerability pertains to the arm64/sme storage allocation and, if left unaddressed, may lead to leakage of existing storage and corrupt state. In this blog post, we will discuss the technical details of the vulnerability, its potential impact, and the steps that have been taken to mitigate the issue.

Vulnerability Details

The vulnerability specifically affects the arm64/sme subsystem in the Linux kernel. The problematic behavior is caused due to the improper handling of the storage allocation in sme_alloc() function. When sme_alloc() is called with existing storage and not flushing, new storage will always be allocated, which results in both leaking the existing storage and corrupting the state.

The solution implemented separates the checks for flushing and existing storage, similar to how it is done for the SVE-related allocations.

The original snippet of the code from the sme_alloc() function can be seen below

if (!sme->vec || sme_is_flushing()) {
    sme->vec = kmalloc(sme->bufsize, GFP_KERNEL);
    flush_enabled = true;
}

As can be observed, the function will allocate new storage even if there is existing storage, assuming the context is not flushing.

The following proposed change fixes the vulnerability by separating the check for existing storage and flushing:

if (!sme->vec) {
    sme->vec = kmalloc(sme->bufsize, GFP_KERNEL);
} else if (sme_is_flushing()) {
    flush_enabled = true;
}

Now, the function will only allocate new storage if there is no existing storage available.

Exploit Details

The vulnerability in its current state may allow potential hackers to misuse the sme_alloc() function, leading to a memory leak and the possibility of corrupting kernel state. This could lead to instability, crashes, or provide a potential vector for further attacks.

The original patch for this vulnerability can be found here

https://lists.infradead.org/pipermail/linux-arm-kernel/2021-September/678269.html

Conclusion

It is important for Linux kernel developers and system administrators to pay close attention to the solution provided for CVE-2024-26618 and apply the necessary changes to their systems in order to secure them against potential future attacks exploiting this vulnerability. Callers that reallocate (e.g., due to changing the vector length) should call sme_free() themselves to ensure that the vulnerability is properly mitigated.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC