In early 2024, security researchers identified a vulnerability in the Linux kernel's crypto subsystem, specifically the IAA (Intel Analytics Accelerator) driver. This bug, assigned CVE-2024-26945, could lead to a divide-by-zero error, potentially causing system crashes or denial of service. Here, I’ll walk you through what caused the bug, how it was fixed, and how this type of issue can be triggered or exploited.
What’s the Problem? (Technical Summary)
In the Linux kernel’s IAA support, device-to-CPU association gets calculated by dividing the number of CPUs (nr_cpus) by the number of IAA devices (nr_iaa). This is done through a variable called cpus_per_iaa. The problem? If there are more IAAs than CPUs, or if no IAAs at all, you wind up dividing by zero.
This triggers a classic divide-by-zero error, crashing the kernel thread running the code.
Core Vulnerable Code (Before the Fix)
Here’s a simplified look (based on upstream kernel code) of the broken logic in rebalance_wq_table():
int cpus_per_iaa = nr_cpus / nr_iaa; // PROBLEM: What if nr_iaa == or nr_cpus < nr_iaa?
If nr_iaa == : Division by zero.
- If nr_cpus < nr_iaa: Integer division returns zero, so result is zero, causing division that’s not meaningful and breaking the rebalancing logic.
The Fix
The maintainers patched this by checking both conditions. If there’s no IAA, or CPUs are less than IAAs, they set the number of CPUs per IAA to 1 (minimum safe number):
if (nr_iaa == || nr_cpus < nr_iaa)
cpus_per_iaa = 1;
else
cpus_per_iaa = nr_cpus / nr_iaa;
This guarantees there’s no division by zero, and the logic remains safe and predictable.
Exploit Details
This bug is a crash issue, not one that lets attacker run code, but still very dangerous. An attacker (with low privilege) could:
1. Craft IAA Device Map: By exposing the system to a configuration where nr_iaa is or nr_cpus < nr_iaa, they can trigger code paths using this value.
2. Trigger the Code: For example, through an artificial device setup (could be virtualized environments, driver injection, or deliberate hotplug combinations), causing kernel to hit the divide-by-zero and kernel panic.
3. Denial of Service: Once crashed, the server, VM, or embedded device would stop responding—requiring a manual reboot.
Proof-of-concept (PoC) for similar issues generally involves manipulating device tree or hotplug events, but privilege is required to manipulate hardware devices in most setups.
Example (PoC Idea)
Suppose you write a kernel module or tool that unplugs all IAA devices, then rapidly hotplugs more virtual IAAs than available CPUs. The next scheduler or crypto rebalance hits the code. The kernel crashes.
The official Linux patch (for reference)
- cpus_per_iaa = nr_cpus / nr_iaa;
+ if (nr_iaa == || nr_cpus < nr_iaa)
+ cpus_per_iaa = 1;
+ else
+ cpus_per_iaa = nr_cpus / nr_iaa;
(source)
Impact and Mitigations
- Systems Affected: Any Linux system using the IAA driver in the crypto subsystem (especially with dynamic CPU or IAA hotplug).
Exploitation: Local, privileged attackers (needs control over hardware configuration).
- Mitigation: Update to a kernel version after Feb 26, 2024 containing the above fix. Block untrusted users from plugging/unplugging hardware.
References
- Upstream Patch: Linux commit 1edccbb3a14e (github.com)
- CVE Record: CVE-2024-26945 (Check for details and updates)
- LKML Discussion: LKML Patch Thread
Conclusion
The CVE-2024-26945 vulnerability in Linux shows how easy it is for a simple calculation error (division by zero) in system code to become a critical stability risk. If you pick up anything from this, remember: always validate your numbers before you divide. Even modern OS code can make small mistakes with big consequences!
Timeline
Published on: 05/01/2024 06:15:10 UTC
Last modified on: 07/03/2024 01:50:05 UTC