CVE-2024-53148 - Partial Mapping Flush Vulnerability in Linux Kernel’s Comedi Subsystem

A new vulnerability has been patched in the Linux kernel’s comedi subsystem: CVE-2024-53148. The flaw concerns unsafe memory handling during error conditions when mapping device buffers into user space. If not fully patched, this bug could let unprivileged users access partial memory mappings, potentially leading to leaks or unintended access.

In this post, you’ll read a clear, exclusive walkthrough of what the bug is, how it happens, and what the fix involves. We’ll include code examples and essential references.

How the Vulnerability Works

The comedi subsystem lets user applications interact with data acquisition (DAQ) hardware. Often, when these user apps map device memory via mmap(), the kernel function remap_pfn_range() is called repeatedly to map multiple pages.

Here’s what’s dangerous: If some calls succeed and one fails, some memory pages remain mapped even after the buffer’s reference is dropped. Those pages are only eventually cleaned up by the kernel’s memory error code. This opens a window for buggy or malicious userspace programs to exploit the partially-mapped and now-stale memory.

Here’s a pseudocode view of the old buggy mapping logic

for (i = ; i < num_pages; ++i) {
    ret = remap_pfn_range(vma, ...);
    if (ret < )
        break; // On error, previously mapped pages are still present!
}
// cleanup routine doesn't flush all user mappings right away
comedi_buf_map_put(bm);

Real Code Extract (Before Patch)

ret = remap_pfn_range(vma, start, pfn, size, vma->vm_page_prot);
if (ret < )
    break; // Leaves already mapped pages active in userspace!
comedi_buf_map_put(bm); // Drops reference but doesn't flush user pte mappings

Breaching the Bug: Exploit Details

Exploit scenario: A local user repeatedly tries to mmap() a comedi device buffer with crafted input (such as a very large length or other triggering conditions) causing remap_pfn_range() to fail mid-way. The user can then try to read from the mapped memory area, which might still hold pages with sensitive content.

Exploit steps

1. Open /dev/comedi* device.
2. Use mmap() with customized arguments, forcing a partial failure (e.g., trigger ENOMEM or overflow).

Potentially extract non-zero or stale kernel memory.

*Note: actual exploitation requires timing and specific driver/device settings, but this memory leak style is similar to older bugs in graphics drivers and subsystems.*

The Patch: Full Flush on Error

What’s fixed: Now, if any mapping fails during mmap(), the kernel will immediately flush all user mappings for the VMA, ensuring nothing is left behind.

The Core Patch

if (ret < ) {
    // On error, flush all mappings made so far!
    zap_vma_pte_range(vma, vma->vm_start, vma->vm_end);
    comedi_buf_map_put(bm);
    goto out;
}

Or, as the commit message puts it

> Fix it by explicitly flushing all mappings in our VMA on the error path.

Reference Commit

> See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case").

Responsible Disclosure and References

- Original LKML Patch Thread (example URL)
- Linux Kernel Commit
- Common Vulnerabilities and Exposures (CVE)

TL;DR

- CVE-2024-53148: Partial mappings left after buffer errors in comedi/mmap.

Fix: Patch now flushes all mappings immediately on error.

Upgrade your kernel or backport the patch if you rely on comedi or care about strong memory isolation!

Further Reading

- Kernel Patch: mm: avoid leaving partial pfn mappings around in error case
- What is comedi? (Project site)
- Linux mmap() docs
- How remap_pfn_range() works

Timeline

Published on: 12/24/2024 12:15:22 UTC
Last modified on: 05/04/2025 09:54:15 UTC