CVE CyberSecurity Database News

CVE-2024-56748 - Linux Kernel SCSI qedf Memory Leak Fixed - Explained

Poster -

Recently, security researchers and kernel developers addressed a serious memory leak vulnerability in the Linux kernel’s SCSI qedf (QLogic 10/25/40GbE iSCSI) driver. This vulnerability has been assigned CVE-2024-56748. In this post, I’ll break down what happened, how it worked, show you some actual affected code, and explain how it got fixed. At the end, you’ll know exactly what this CVE means and why it matters.

What Was the Problem?

The function qedf_alloc_and_init_sb() is responsible for allocating and initializing status block (SB) memory for the SCSI qedf driver. If the hardware function sb_init hook (aka qed_sb_init) failed, it didn’t free up the DMA memory that was allocated earlier. As a result, every failure would leak memory, which could build up over time.

This was an oversight in error-handling logic. The leak was not just theoretical—consistent failures could eventually exhaust device or system memory.

Why is This Important?

- Memory leaks in low-level kernel code can pile up unnoticed for a long time, eventually hurting system performance or even causing instability.
- This is especially dangerous in storage and networking paths, where resources are frequently allocated and released.

Inside the qedf_alloc_and_init_sb() function, roughly like this

memset(sb_info, , sizeof(*sb_info));
sb_virt = dma_alloc_coherent(&dev->pdev->dev, sb_size, &sb_dma, GFP_KERNEL);

if (!sb_virt)
    return -ENOMEM;

sb_info->sb_virt = sb_virt;

rc = qed_ops->common->sb_init(dev->cdev, ...);

if (rc)
    return rc;        // <<< BAD: Early return, but sb_virt not freed!

If sb_init fails, sb_virt is simply forgotten.

What Was the Fix?

The fix was to make sure the allocated DMA memory was released with dma_free_coherent() before exiting on error.

Here’s a simplified look at the patched code

sb_virt = dma_alloc_coherent(&dev->pdev->dev, sb_size, &sb_dma, GFP_KERNEL);
if (!sb_virt)
    return -ENOMEM;

sb_info->sb_virt = sb_virt;

rc = qed_ops->common->sb_init(dev->cdev, ...);
if (rc) {
    dma_free_coherent(&dev->pdev->dev, sb_size, sb_virt, sb_dma);
    return rc;
}

Now, there's no memory left hanging!

The approach matches how other, similar drivers—like qedr and qede—already handled allocation failures for status blocks.

How Could It Be Exploited?

This wasn’t a typical “remote code execution” bug, but clever attackers (or misbehaving local users) might exploit the leak to:

- Degrade system performance: Repeatedly triggering allocation failures could eventually exhaust all DMA memory or kernel memory, causing crashes, resource exhaustion, or denial of service.
- Mask other bugs: Heap/data structure exhaustion can sometimes enable other exploits.

Timeline & References

- Patch submitted: Linux Kernel Patch: SCSI: qedf: Fix possible memory leak in qedf_alloc_and_init_sb()
- CVE record: CVE-2024-56748 at Mitre
- Common Linux SCSI subsystem: Linux Kernel SCSI Subsystem Docs
- Similar fix for qedr: qedr_alloc_mem_sb() implementation

What Should You Do?

1. Update your system! If you’re running a kernel using the qedf SCSI driver, grab the latest updates.

Conclusion

CVE-2024-56748 reminds us that even seemingly small missing cleanup lines in low-level drivers can have real-world stability and security impacts. The good news: it’s a simple fix, and now the Linux kernel handles allocation failures for SCSI qedf status blocks cleanly.

Stay patched!

*Exclusive long-post for kernel learners & sysadmins. Share and stay informed!*

Timeline

Published on: 12/29/2024 12:15:08 UTC
Last modified on: 01/06/2025 17:07:33 UTC