CVE-2024-26807

spi: cadence-qspi: fix pointer reference in runtime PM hooks

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
implementations start with:

struct cqspi_st *cqspi = dev_get_drvdata(dev);
struct spi_controller *host = dev_get_drvdata(dev);

This obviously cannot be correct, unless "struct cqspi_st" is the
first member of " struct spi_controller", or the other way around, but
it is not the case. "struct spi_controller" is allocated by
devm_spi_alloc_host(), which allocates an extra amount of memory for
private data, used to store "struct cqspi_st".

The ->probe() function of the cadence-quadspi driver then sets the
device drvdata to store the address of the "struct cqspi_st"
structure. Therefore:

struct cqspi_st *cqspi = dev_get_drvdata(dev);

is correct, but:

struct spi_controller *host = dev_get_drvdata(dev);

is not, as it makes "host" point not to a "struct spi_controller" but
to the same "struct cqspi_st" structure as above.

This obviously leads to bad things (memory corruption, kernel crashes)
directly during ->probe(), as ->probe() enables the device using PM
runtime, leading the ->runtime_resume() hook being called, which in
turns calls spi_controller_resume() with the wrong pointer.

This has at least been reported [0] to cause a kernel crash, but the
exact behavior will depend on the memory contents.

[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/

This issue potentially affects all platforms that are currently using
the cadence-quadspi driver.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: cadence-qspi: corrige la referencia del puntero en los ganchos PM en tiempo de ejecución dev_get_drvdata() se utiliza para adquirir el puntero a cqspi y el controlador SPI. Ninguno de los dos integra al otro; Esto conduce a la corrupción de la memoria. En una plataforma determinada (Mobileye EyeQ5), la corrupción de la memoria está oculta dentro de cqspi->f_pdata. Además, esta memoria no inicializada se utiliza como mutex (ctlr->bus_lock_mutex) por spi_controller_suspend().

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-04-05 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/2087e85bb66ee3652dafe732bb9b9b896229eafc	Vuln. Introduced
https://git.kernel.org/stable/c/e3f9fc9a4f1499cc9e1bad4482d377494e367b3d	Vuln. Introduced
https://git.kernel.org/stable/c/6716203844bc8489af5e5564f0fa31e0c094a7ff	Vuln. Introduced
https://git.kernel.org/stable/c/b24f1ecc8fe2ceefc14af02edb1744c246d87bf7	Vuln. Introduced
https://git.kernel.org/stable/c/d453f25faf681799d636fe9d6899ad91c45aa11e	Vuln. Introduced
https://git.kernel.org/stable/c/79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c	Vuln. Introduced
https://git.kernel.org/stable/c/18cb554e9da81bc4eca653c17a0d65e8b5835c09	Vuln. Introduced
https://git.kernel.org/stable/c/1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61	2024-03-06
https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03	2024-03-06
https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc	2024-02-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.283 Search vendor "Linux" for product "Linux Kernel" and version "4.19.283"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.243 Search vendor "Linux" for product "Linux Kernel" and version "5.4.243"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.180 Search vendor "Linux" for product "Linux Kernel" and version "5.10.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.111 Search vendor "Linux" for product "Linux Kernel" and version "5.15.111"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.1.28 Search vendor "Linux" for product "Linux Kernel" and version "6.1.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2.15 Search vendor "Linux" for product "Linux Kernel" and version "6.2.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.3.2 Search vendor "Linux" for product "Linux Kernel" and version "6.3.2"		en		Affected