In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Fix double free in SMC transport cleanup path When the
generic SCMI code tears down a channel, it calls the chan_free callback
function, defined by each transport. Since multiple protocols might share
the same transport_info member, chan_free() might want to clean up the same
member multiple times within the given SCMI transport implementation. In
this case, it is SMC transport. This will lead to a NULL pointer
dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling
mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications -
Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI |
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25:
DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 |
FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS =
0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 |
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit
VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000,
p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT
SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted
6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC
(DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) | pc
: smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: |
smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 |
scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 |
platform_probe+0x68/0xd8 | really_probe+0x110/0x27c |
__driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 |
__driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 |
driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 |
driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 |
scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c |
kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 |
ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70
(b9400280) | —[ end trace 0000000000000000 ]— Simply check for the
struct pointer being NULL before trying to access its members, to avoid
this situation. This was found when a transport doesn’t really work (for
instance no SMC service), the probe routines then tries to clean up, and
triggers a crash.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd (6.9-rc1)
git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4
git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c
git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773
git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d
git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd
launchpad.net/bugs/cve/CVE-2024-26893
nvd.nist.gov/vuln/detail/CVE-2024-26893
security-tracker.debian.org/tracker/CVE-2024-26893
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
www.cve.org/CVERecord?id=CVE-2024-26893