CVE-2024-39478 - How a Linux Kernel Bug in starfive’s Crypto Could Crash Systems
A recent vulnerability, CVE-2024-39478, was discovered and resolved in the Linux kernel. This issue appeared within the “starfive” crypto driver, affecting how certain memory buffers used for RSA cryptography were handled. Let’s break down what happened, why it mattered, how the patch works, and how this could have been exploited.
The Vulnerability Explained
Area Affected:
The vulnerability lies in the Linux kernel’s starfive crypto driver. It occurred when handling variable length RSA text data that was placed on the stack.
What Went Wrong?
Developers coded the driver to allocate a data buffer for cryptography right on the function’s stack. That’s fine. But after using the buffer, they called kfree() on it—and that is dangerous. kfree() is designed to free memory that was dynamically allocated (using kmalloc or similar), NOT memory from the stack. Doing so causes undefined behavior. Sometimes, it might just crash a process, but it could also trigger deeper system instabilities or security issues.
Here’s a simplified and adapted version to show what might go wrong
void do_rsa_crypto(struct starfive_device *dev, size_t len) {
// BAD: This buffer is on the stack!
unsigned char buffer[4096]; // Variable length in actual code
// ... do crypto operations on buffer ...
// INCORRECT: Trying to free stack memory!
kfree(buffer); // This is a critical bug.
}
The correct approach is to never call kfree() (or any “free” function) on stack-allocated buffers. They’re automatically cleaned up when the function finishes.
Corrupt memory, leading to unpredictably broken systems
- Open the door for attackers to manipulate kernel state (although in this case, exploitation appears tricky and very luck-based)
How Might This Be Exploited?
While stack memory errors are often reliability problems, sometimes they can be security issues—especially in privileged code like the kernel. For instance:
- Stack Corruption: If an attacker could influence the length or content of the buffer, the cleanup phase might smash the stack, potentially overwriting critical return addresses or other data.
- Privilege Escalation: In theory, by causing careful corruption, an attacker could execute arbitrary code as the kernel.
However, in the CVE’s current disclosure, there are no known practical exploits, and this looks more like a reliability/stability bug (DoS - Denial of Service). Still, it’s wise to patch quickly.
The Fix
The Patch:
Remove the kfree() call for stack buffers!
void do_rsa_crypto(struct starfive_device *dev, size_t len) {
unsigned char buffer[4096]; // Stack buffer
// ... crypto ops ...
// FIX: Do NOT free the stack buffer.
// kfree(buffer); <-- removed
}
Patch commit reference (kernel.org)
References
- CVE-2024-39478 - NVD Entry
- Linux kernel official patch
- starfive/crypto code on GitHub
Who Is At Risk?
- Linux systems running kernels with starfive crypto driver for certain RSA cryptography operations.
- Devices using these SoCs (System on Chips), e.g. embedded ARM boards.
Update your kernel: Ensure you’re running a version with this fix.
- Watch for vendor advisories: Many Linux distributions (Debian, Ubuntu, Fedora) will roll out downstream patches in a matter of days.
- Audit similar code: If you work on driver or kernel code, double-check stack and heap buffer statements. Never free what you didn’t explicitly allocate.
TL;DR
CVE-2024-39478 was a serious bug that could cause kernel memory corruption. Never call kfree() on stack variables, and make sure your systems pull in this kernel patch as soon as possible to stay safe.
If you want to learn more, follow Linux kernel security mailing lists or check your distro’s advisories for updates. As always—keep your systems updated!
Timeline
Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:13 UTC