CVE-2024-26680: Vulnerability in Linux Linux

Severity: mediumType: vulnerabilityCVE-2024-26680

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] <TASK> [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]

AI Analysis

Technical Summary

CVE-2024-26680 is a vulnerability identified in the Linux kernel's network driver for the Aquantia (atlantic) Ethernet controller. The issue arises from improper handling of Direct Memory Access (DMA) mappings related to the Precision Time Protocol (PTP) hardware timestamping (hwts) ring buffer. Specifically, the function aq_ring_hwts_rx_alloc() allocates and maps extra bytes (AQ_CFG_RXDS_DEF) for the PTP hwts ring, but the generic function aq_ring_free() used for freeing this memory does not account for the additional allocated size. This mismatch leads to freeing DMA memory with a different size than was originally mapped, triggering kernel warnings and potentially causing memory corruption or instability. The patch involves creating and using a dedicated function to correctly free the PTP hwts ring memory, ensuring the size used during unmapping matches the allocation size. The kernel trace logs included in the description show warnings from the DMA-API subsystem, indicating the driver frees DMA memory with inconsistent sizes, which can lead to undefined behavior in the kernel. Although no known exploits are reported in the wild, this vulnerability affects the Linux kernel versions containing the atlantic driver with PTP hwts support, which is commonly used in network interface cards (NICs) based on Aquantia chips. The vulnerability is technical and low-level, involving kernel memory management and device driver operations, which could be exploited to cause denial of service or potentially escalate privileges if combined with other vulnerabilities.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected atlantic network driver, especially those using Aquantia-based NICs with PTP hardware timestamping enabled. Such systems are often found in enterprise servers, network infrastructure devices, and data center environments where precise time synchronization is critical, such as financial institutions, telecommunications, and industrial control systems. Exploitation could lead to kernel instability, system crashes, or denial of service, impacting availability of critical services. While direct privilege escalation is not explicitly documented, kernel memory corruption vulnerabilities can sometimes be leveraged in multi-stage attacks. The impact on confidentiality and integrity is limited unless combined with other vulnerabilities. However, the disruption of network interfaces or time synchronization services could have cascading effects on time-sensitive applications and compliance with regulatory requirements for accurate logging and auditing. Given the widespread use of Linux in European IT infrastructure, the vulnerability could affect a broad range of organizations if unpatched.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should: 1) Identify Linux systems using the atlantic network driver with PTP hardware timestamping enabled, focusing on servers and network devices with Aquantia NICs. 2) Apply the latest Linux kernel updates or patches that include the fix for CVE-2024-26680 as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If immediate patching is not possible, consider disabling PTP hardware timestamping on affected NICs as a temporary workaround to prevent triggering the faulty memory free operation. 4) Monitor kernel logs for DMA-API warnings or related errors that may indicate attempts to exploit this vulnerability or system instability. 5) Implement strict access controls and monitoring on systems with affected drivers to detect unusual activity that could indicate exploitation attempts. 6) Engage with hardware vendors to confirm NIC firmware versions and compatibility with patched drivers to ensure full remediation. 7) Incorporate this vulnerability into vulnerability management and incident response plans to prioritize remediation and response efforts.