CVE-2024-26807
spi: cadence-qspi: fix pointer reference in runtime PM hooks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
implementations start with:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
struct spi_controller *host = dev_get_drvdata(dev);
This obviously cannot be correct, unless "struct cqspi_st" is the
first member of " struct spi_controller", or the other way around, but
it is not the case. "struct spi_controller" is allocated by
devm_spi_alloc_host(), which allocates an extra amount of memory for
private data, used to store "struct cqspi_st".
The ->probe() function of the cadence-quadspi driver then sets the
device drvdata to store the address of the "struct cqspi_st"
structure. Therefore:
struct cqspi_st *cqspi = dev_get_drvdata(dev);
is correct, but:
struct spi_controller *host = dev_get_drvdata(dev);
is not, as it makes "host" point not to a "struct spi_controller" but
to the same "struct cqspi_st" structure as above.
This obviously leads to bad things (memory corruption, kernel crashes)
directly during ->probe(), as ->probe() enables the device using PM
runtime, leading the ->runtime_resume() hook being called, which in
turns calls spi_controller_resume() with the wrong pointer.
This has at least been reported [0] to cause a kernel crash, but the
exact behavior will depend on the memory contents.
[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/
This issue potentially affects all platforms that are currently using
the cadence-quadspi driver.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: cadence-qspi: corrige la referencia del puntero en los ganchos PM en tiempo de ejecución dev_get_drvdata() se utiliza para adquirir el puntero a cqspi y el controlador SPI. Ninguno de los dos integra al otro; Esto conduce a la corrupción de la memoria. En una plataforma determinada (Mobileye EyeQ5), la corrupción de la memoria está oculta dentro de cqspi->f_pdata. Además, esta memoria no inicializada se utiliza como mutex (ctlr->bus_lock_mutex) por spi_controller_suspend().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-04-04 CVE Published
- 2024-04-05 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/2087e85bb66ee3652dafe732bb9b9b896229eafc | Vuln. Introduced | |
https://git.kernel.org/stable/c/e3f9fc9a4f1499cc9e1bad4482d377494e367b3d | Vuln. Introduced | |
https://git.kernel.org/stable/c/6716203844bc8489af5e5564f0fa31e0c094a7ff | Vuln. Introduced | |
https://git.kernel.org/stable/c/b24f1ecc8fe2ceefc14af02edb1744c246d87bf7 | Vuln. Introduced | |
https://git.kernel.org/stable/c/d453f25faf681799d636fe9d6899ad91c45aa11e | Vuln. Introduced | |
https://git.kernel.org/stable/c/79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c | Vuln. Introduced | |
https://git.kernel.org/stable/c/18cb554e9da81bc4eca653c17a0d65e8b5835c09 | Vuln. Introduced | |
https://git.kernel.org/stable/c/1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.21" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.7.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.19.283 Search vendor "Linux" for product "Linux Kernel" and version "4.19.283" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.4.243 Search vendor "Linux" for product "Linux Kernel" and version "5.4.243" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.10.180 Search vendor "Linux" for product "Linux Kernel" and version "5.10.180" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.111 Search vendor "Linux" for product "Linux Kernel" and version "5.15.111" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.1.28 Search vendor "Linux" for product "Linux Kernel" and version "6.1.28" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2.15 Search vendor "Linux" for product "Linux Kernel" and version "6.2.15" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.3.2 Search vendor "Linux" for product "Linux Kernel" and version "6.3.2" | en |
Affected
|