In the Linux kernel, the following vulnerability has been resolved: Both
cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations
start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct
spi_controller *host = dev_get_drvdata(dev); This obviously cannot be
correct, unless “struct cqspi_st” is the first member of " struct
spi_controller", or the other way around, but it is not the case. “struct
spi_controller” is allocated by devm_spi_alloc_host(), which allocates an
extra amount of memory for private data, used to store “struct cqspi_st”.
The ->probe() function of the cadence-quadspi driver then sets the device
drvdata to store the address of the “struct cqspi_st” structure. Therefore:
struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct
spi_controller *host = dev_get_drvdata(dev); is not, as it makes “host”
point not to a “struct spi_controller” but to the same “struct cqspi_st”
structure as above. This obviously leads to bad things (memory corruption,
kernel crashes) directly during ->probe(), as ->probe() enables the device
using PM runtime, leading the ->runtime_resume() hook being called, which
in turns calls spi_controller_resume() with the wrong pointer. This has at
least been reported [0] to cause a kernel crash, but the exact behavior
will depend on the memory contents. [0]
https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This
issue potentially affects all platforms that are currently using the
cadence-quadspi driver.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61
git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc
git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03
launchpad.net/bugs/cve/CVE-2024-26807
nvd.nist.gov/vuln/detail/CVE-2024-26807
security-tracker.debian.org/tracker/CVE-2024-26807
www.cve.org/CVERecord?id=CVE-2024-26807