CVE-2024-35829
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's Lima graphics driver. When lima_vm_map_bo fails during memory allocation, resources aren't properly deallocated, leading to gradual memory exhaustion. This affects systems using the Lima driver for ARM Mali graphics hardware.
💻 Affected Systems
- Linux kernel with Lima DRM driver enabled
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Gradual memory consumption over time leading to performance degradation and potential application crashes.
If Mitigated
Minimal impact with proper memory monitoring and restart policies in place.
🎯 Exploit Status
Requires local access and ability to trigger specific Lima driver operations. No known public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 04ae3eb470e5, 4ab14eccf557, 746606d37d66, 8e25c0ee5665, or ec6bb037e4a3 applied
Vendor Advisory: https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea
Restart Required: Yes
Instructions:
1. Update to patched Linux kernel version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify Lima driver is updated.
🔧 Temporary Workarounds
Disable Lima DRM driver
linuxPrevent loading of vulnerable Lima graphics driver module
echo 'blacklist lima' >> /etc/modprobe.d/blacklist-lima.conf
rmmod lima
update-initramfs -u
Restrict user access
linuxLimit which users can access graphics hardware
chmod 600 /dev/dri/renderD128
setfacl -m u:username:rw- /dev/dri/renderD128
🧯 If You Can't Patch
- Monitor system memory usage for unusual consumption patterns
- Implement regular system reboots to clear accumulated memory leaks
🔍 How to Verify
Check if Vulnerable:
Check if Lima driver is loaded: lsmod | grep lima && check kernel version against patched commitsCheck Version:
uname -r && grep -i lima /proc/modulesVerify Fix Applied:
Verify kernel version includes fix commits and Lima driver loads without errors in dmesg📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages in dmesg
- Increasing memory usage by kernel processes
- Lima driver error messages
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("out of memory" OR "OOM" OR "lima")🔗 References
- https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea
- https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab
- https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f
- https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7
- https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd
- https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed
- https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf
- https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea
- https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab
- https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f
- https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7
- https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd
- https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed
- https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
