Linux Kernal Vulnerability Let Attackers Bypass CPU & Gain Read/Write Access

Researchers have uncovered a critical vulnerability within the Linux kernel’s dmam_free_coherent() function.

This flaw, identified as CVE-2024-43856, stems from a race condition caused by the improper order of operations when freeing Direct Memory Access (DMA) allocations and managing associated resources.

The vulnerability poses a significant risk, as it could allow attackers to bypass CPU protections and gain unauthorized read/write access to system memory.

Understanding the Vulnerability

DMA is a crucial mechanism that enables hardware devices to transfer data directly to and from system memory without CPU involvement, enhancing performance.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The dmam_free_coherent() function frees a DMA allocation and removes the associated data structure used to track it. However, a flaw in this process could lead to system instabilities, data corruption, unexpected behavior, or even crashes.

The vulnerability arises from a race condition where a concurrent task could allocate memory with the same virtual address and add it to the tracking list before removing the original entry.

If exploited, this could result in the devres_destroy function freeing the wrong entry, triggering a WARN_ON assertion in the dmam_match function.

This scenario could allow attackers to manipulate memory allocations, potentially leading to severe security breaches.

The Patch – CVE-2024-43856

In response to this vulnerability, a new patch has been committed to the Linux kernel by Greg Kroah-Hartman.

Lance Richardson from Google authored the patch, which modifies the dmam_free_coherent () function to address a bug in DMA allocation handling.

The solution involves swapping the order of function calls to ensure the tracking data structure is destroyed using devres_destroy before the DMA allocation is freed with dma_free_coherent.

This change prevents the possibility of a concurrent task interfering with the cleanup process.

The patch has undergone testing on Google’s internal “kokonut” network encryption project. It has been signed off by Christoph Hellwig and Sasha Levin, indicating its readiness for inclusion in the mainline Linux kernel.

This proactive measure highlights the developer community’s ongoing efforts to identify and rectify potential bugs, ensuring a more stable and reliable operating system for users worldwide.

While exploiting the dmam_free_coherent() vulnerability to write arbitrary data into CPU memory would be complex and highly dependent on specific system configurations, the patch provides a crucial safeguard against potential attacks.

As the Linux kernel continues to evolve and power a vast array of devices, addressing vulnerabilities like CVE-2024-43856 is essential to maintaining the security and integrity of systems globally.

This case underscores the importance of vigilance and collaboration within the open-source community to protect against emerging threats.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access