In the past few days, the Linux kernel community disclosed a new vulnerability, CVE-2024-56767, which affects the DMA engine (Direct Memory Access) subsystem. The at_xdmac (Atmel XDMA Controller) driver, an important part of this subsystem, contains a null pointer dereference vulnerability that could potentially allow an attacker to execute arbitrary code or disrupt kernel operations.
In this blog post, we will provide a detailed analysis of the vulnerability, a code snippet demonstrating the issue and its resolution, as well as links to the original references. The exploit details will be clarified as much as possible to help you understand the potential risks and take necessary precautions.
Vulnerability details
The issue is caused by the at_xdmac_prep_dma_memset function in drivers/dma/at_xdmac.c file which can potentially return a NULL value. This could lead to a null pointer dereference when the driver is supposed to create a descriptor for memset operation in DMA.
This vulnerability can be triggered if the input length for data transfer operations is erroneous or if the DMA channel's free descriptor list is empty and the memory is exhausted.
Here's a snippet of the vulnerable code
static struct dma_async_tx_descriptor *
at_xdmac_prep_dma_memset(struct dma_chan *chan, dma_addr_t dst, int value,
size_t len, unsigned long flags)
{
...
desc = at_xdmac_memset_create_desc(atchan, value);
desc->lli.saddr = desc->phys;
desc->lli.daddr = dst;
desc->lli.ublock = len - 1;
...
return vchan_tx_prep(&atchan->vchan, &desc->vdesc, flags);
}
To fix the vulnerability, we need to add a check after the at_xdmac_memset_create_desc function call to make sure desc is not NULL:
static struct dma_async_tx_descriptor *
at_xdmac_prep_dma_memset(struct dma_chan *chan, dma_addr_t dst, int value,
size_t len, unsigned long flags)
{
...
desc = at_xdmac_memset_create_desc(atchan, value);
if (!desc)
return NULL;
desc->lli.saddr = desc->phys;
desc->lli.daddr = dst;
desc->lli.ublock = len - 1;
...
return vchan_tx_prep(&atchan->vchan, &desc->vdesc, flags);
}
This added check prevents the null pointer dereference from happening and the issue becomes resolved.
Original References and Acknowledgements
- Linux Kernel Git Commit - "dmaengine: at_xdmac: avoid null_ptr_deref in at_xdmac_prep_dma_memset"
- [Linux Kernel Mailing List - "[PATCH] dmaengine: at_xdmac: avoid null_ptr_deref in at_xdmac_prep_dma_memset"](https://lore.kernel.org/lkml/20220402003014.36147-1-myc19880104@gmail.com/)
The discovery and reporting of this vulnerability is attributed to Changbin Du and it was fixed by the Linux Kernel community.
Conclusion and Impact Assessment
CVE-2024-56767 represents a critical security vulnerability in the Linux kernel's DMA engine subsystem that could potentially allow an attacker to execute arbitrary code or disrupt the kernel operations. By understanding the exploit details and keeping your kernel up-to-date, you can minimize the potential risks. The problem has been fixed in recent kernel versions, so we advise you to update your kernel to the latest stable release.
Timeline
Published on: 01/06/2025 17:15:43 UTC
Last modified on: 01/07/2025 22:51:02 UTC