Introduction: In recent developments associated with the Linux Kernel, a memory leak vulnerability has been resolved. The issue was in the Linux kernel's "udmabuf" and a fix was provided for the last export_udmabuf() error path. This post aims to provide an exclusive insight into the issue and its resolution.

Memory Leak Vulnerability (CVE-2024-56712): Within the export_udmabuf() function, if the dma_buf_fd() failed due to the FD table being full, a dma_buf owning the udmabuf had already been created. However, the error handling in udmabuf_create() would result in tearing down the udmabuf without addressing the dma_buf that contains it. This would leave the dma_buf in memory with a dangling pointer, causing a memory leak.

Resolution: To fix this memory leak vulnerability, the solution was to move the dma_buf_fd() call out of export_udmabuf() function. This change enables different error handling to address the issue properly. It is worth noting that the code structure changed significantly in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); however, the memory leak existed since the introduction of udmabuf.

Below is the code snippet with the fix applied

static int export_udmabuf(struct udmabuf *ubuf, struct dma_buf **buf)
{
    ...
    struct dma_buf *dbuf;

    dbuf = dma_buf_export(...);
    if (IS_ERR(dbuf))
        return PTR_ERR(dbuf);
    ...
    *buf = dbuf;
    return ;
}

static int udmabuf_create(struct udmabuf *ubuf)
{
    ...
    int ret;
    int fd;

    ret = export_udmabuf(ubuf, &buf);
    if (ret)
        goto err_buf;

    fd = dma_buf_fd(buf, O_CLOEXEC);
    if (fd < ) {
        dma_buf_put(buf);
        goto err_buf;
    }
    ...
}

Original References:
1. Linux kernel mailing list (LKML)
2. Commit 5e72b2b41a21

Exploit Details: For exploitation purposes, an attacker would need to trigger the export_udmabuf() error path by filling up the FD table. This would cause the memory leak. However, since this vulnerability leads to a memory leak, as opposed to a privilege escalation or arbitrary code execution, its impact is relatively minimal.

In conclusion, CVE-2024-56712 is a memory leak vulnerability that existed in the Linux kernel's udmabuf. The resolution involved fixing the error handling, by moving the dma_buf_fd() call out of export_udmabuf() function. This ensures that the dma_buf is correctly handled when the export_udmabuf() function encounters an error. While the impact of this vulnerability is limited to memory leaks, it is still crucial for Linux kernel developers and users to be aware of the issue and apply the provided fix for a more stable and secure kernel.

Timeline

Published on: 12/29/2024 09:15:06 UTC
Last modified on: 01/06/2025 17:11:48 UTC