CVE-2024-56747 - Resolving Linux Kernel SCSI Memory Leak Vulnerability via qedi_alloc_and_init_sb() Fix

A recently discovered vulnerability in the Linux kernel (assigned CVE-2024-56747) involves a possible memory leak in the SCSI (Small Computer System Interface) subsystem that could cause runtime errors and system crashes if left unpatched. The bug is related to the qedi_alloc_and_init_sb() function that does not release DMA (Direct Memory Access) memory properly when it fails. The purpose of this post is to inform users about the vulnerability, its potential impact, and the steps required to mitigate its effects. We will provide code snippets, links to original references, and exploit details where applicable.

The Linux kernel's SCSI implementation has the following vulnerability resolved

scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()

Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA
memory sb_virt when it fails. Add dma_free_coherent() to free it. This
is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().

According to the original reference [1], the hook "qedi_ops->common->sb_init = qed_sb_init" fails to release the DMA memory sb_virt when it encounters an error. The potential memory leak can create kernel runtime errors or crashes, leading to system instability.

Proposed Fix

To resolve the issue, developers have suggested using the dma_free_coherent() function to release the unneeded DMA memory. This solution is consistent with the way that other similar functions such as qedr_alloc_mem_sb() and qede_alloc_mem_sb() handle memory management. The following code snippet demonstrates the application of this solution:

if (rc) {
  // Failed to initialize the qedi_ops structure, release the DMA memory
  dma_free_coherent(&pdev->dev, QEDI_RAMROD_BUF_SIZE,
                    qedi->hw.qed_sb_array_dma_virt[instance],
                    qedi->hw.qed_sb_array_dma_phy[instance]);
  goto out_free_cons_info;
}

By adding the dma_free_coherent() call, the code ensures that the DMA memory is properly released when the function encounters a failure, preventing the potential memory leak.

References

[1] Linux kernel source repository

[2] Linux SCSI mailing list discussion

Exploit Details

Due to the nature of this vulnerability, an exploit to take advantage of it would require the attacker to have kernel-level access to the affected system. This type of access is beyond the scope of most attackers, and in an adequately secured system, the vulnerability poses a limited risk.

Conclusion

The memory leak vulnerability in the Linux kernel's SCSI subsystem has been addressed by developers with a fix that now releases the DMA memory when necessary. Users are recommended to update their kernel to a version that includes this fix, especially if they use systems that rely on SCSI devices. As always, maintaining good security practices and patching vulnerabilities as soon as possible helps reduce potential risks from system vulnerabilities and keeps your Linux environment secure.

Timeline

Published on: 12/29/2024 12:15:08 UTC
Last modified on: 01/20/2025 06:27:18 UTC