CVE-2024-26977 - The Story of a Linux Kernel MMIO Mapping Leak (And How It Was Fixed)

## The Linux Kernel and Memory-Mapped I/O

Let’s start simple: The Linux kernel is the beating heart of most Linux systems. It manages everything from memory to devices like graphics cards, network cards, and beyond. Often, the kernel talks with these devices using something called MMIO (Memory-Mapped Input/Output). In regular words, the kernel gets a region of the computer’s memory to “talk directly” to devices.

This handy feature makes device access fast—but it also requires careful logic to map and unmap those memory areas! If you forget to unmap, you can accidentally lock away parts of system memory, leading to memory leaks and possibly bugs or security issues.

The Problem

In the kernel’s PCI code (the part that lets Linux communicate with PCI devices), there’s a function called pci_iounmap(). Its duty? To cleanly “unmap” memory regions (both for MMIO and for old-school I/O ports).

Here’s a snippet of the problematic code

#ifdef ARCH_HAS_GENERIC_IOPORT_MAP
void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
{
    iounmap(addr);
}
#endif

What’s going on?

- The call to iounmap(addr) (responsible for releasing MMIO allocations) was protected by a control called #ifdef ARCH_HAS_GENERIC_IOPORT_MAP.
- If ARCH_HAS_GENERIC_IOPORT_MAP wasn’t set in your architecture, pci_iounmap() wouldn’t even call iounmap()!

That means: On many platforms, the allocated MMIO region was never unmapped—a memory leak.

Why Did This Happen?

The logic intended was:
- Only do special handling for I/O ports if the platform supports the generic mapping, but always unmap MMIO.
- Instead, the entire unmap function was guarded, so in some builds, MMIO regions were never cleaned up.

The Fix: Move the Guard!

The security patch here’s the official patch link fixed the bug by simply moving the guard:

Patched Code

void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
{
#ifdef ARCH_HAS_GENERIC_IOPORT_MAP
    if (is_ioport(addr))
        arch_ioport_unmap(addr);
    else
#endif
        iounmap(addr);
}

What’s better about this?
- iounmap(addr); is always called for MMIO addresses, even if ARCH_HAS_GENERIC_IOPORT_MAP isn’t defined.

Exploit Details: What Could Go Wrong?

This isn’t your typical “remote code execution” bug. Instead, it’s a resource exhaustion issue.

Starve other drivers or applications, degrading real-world security and reliability.

It’s tricky to exploit deliberately, but in multi-tenant environments, or with custom kernel modules, it could become a denial-of-service vector.

PoC Exploit Skeleton (for educational use only)

#include <linux/pci.h>
#include <linux/io.h>

void leaky_func(struct pci_dev *dev)
{
    void __iomem *mmio;
    // Map a 4KB region (assuming BAR )
    mmio = pci_iomap(dev, , 4096);
    // Do something with mmio...

    // < NO PCI_IOUNMAP CALLED >
    // On vulnerable kernels, this leaks kernel mappings!
}

How to Stay Safe

Are you at risk?
- Most standard Linux distributions will have the fix (released March 2024+) in kernels 6.9 and above.

If you maintain custom or out-of-tree drivers, always remember to unmap when finished.

Upgrade or patch your kernel.
If you maintain a Linux system, check your kernel version. Here’s the commit in mainline.

References

- Official CVE record for CVE-2024-26977
- Linux Kernel Commit Fix
- lore.kernel.org patch discussion

Upgrade your kernel to stay safe!

Stay tuned for more kernel bug deep dives! 🐧👨‍💻

Timeline

Published on: 05/01/2024 06:15:14 UTC
Last modified on: 10/31/2024 16:35:11 UTC