A recently resolved vulnerability in the Linux kernel shows how important it is to handle errors and potential misconfigurations gracefully. The issue at hand involves the Linux kernel, specifically the PCI/MSI (Peripheral Component Interconnect / Message Signaled Interrupts) subsystem.

The vulnerability, labeled as CVE-2024-56760, was first reported by Alexandre and dealt with a warning emitted from the pci_msi_setup_msi_irqs() function on a RISCV platform that did not offer PCI/MSI support. The root of the problem lay in the fact that the PCI/MSI layer incorrectly assumed that all systems provided legacy PCI/MSI support.

This assumption led to the triggering of a warning, even in cases where the platform correctly did not implement legacy fallback. To resolve this issue, the fix involved aligning the legacy mode assumptions and adding a check for proper support in the MSI enable path.

The original warning occurred as follows

WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+x2c/x32
__pci_enable_msix_range+x30c/x596
pci_msi_setup_msi_irqs+x2c/x32
pci_alloc_irq_vectors_affinity+xb8/xe2

This was triggered because the code did not properly handle cases where the platform did not support legacy PCI/MSI. In other words, the code needed to be smarter about managing the proper configuration of PCI/MSI support.

The fix for this vulnerability involved adding a check for this condition into the existing code. This check makes the code aware of the available support for PCI/MSI on the system and gracefully handles situations where support is not provided.

Here is a snippet of the corrected code

if (legacy_pci_msi_enabled(dev))
    return !!dev->bus->msi;

With the above correction, the Linux kernel now correctly handles cases where the platform may not offer PCI/MSI support, avoiding the generation of the original warning.

Original References

1. Linux kernel Git commit: PCI/MSI: Handle lack of irqdomain gracefully
2. [LKML: "[PATCH] PCI/MSI: Handle lack of irqdomain gracefully"](https://lkml.org/lkml/2022/1/27/781)

Conclusion

The CVE-2024-56760 vulnerability, affecting the Linux kernel's handling of PCI/MSI configuration, demonstrates the importance of proper code design and accounting for different system configurations. By adding the appropriate checks and avoiding legacy assumptions, the Linux kernel development team has successfully resolved this issue, making the kernel more reliable and robust on a variety of platforms.

Timeline

Published on: 01/06/2025 17:15:41 UTC
Last modified on: 01/07/2025 23:06:22 UTC