From 4ec1bd5adb9f5def6cf401b587f8b61d9aef8750 Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Mon, 13 May 2024 17:13:29 +0200 Subject: [PATCH] CVE-2024-26807: improve description of the CVE The issue reported in CVE-2024-26807 was explained without sufficient details, and pointed to a particular platform family that in fact was not currently affected by CVE-2024-26807, as this platform family is currently not using the cadence-quadspi driver. This change proposes a more detailed and accurate description of the issue. Signed-off-by: Thomas Petazzoni --- cve/published/2024/CVE-2024-26807.mbox | 41 ++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 6 deletions(-) --- a/CVE-2024-26807.mbox +++ b/CVE-2024-26807.mbox @@ -1,10 +1,39 @@ In the Linux kernel, the following vulnerability has been resolved: -spi: cadence-qspi: fix pointer reference in runtime PM hooks +Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() +implementations start with: -dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI -controller. Neither embed the other; this lead to memory corruption. + struct cqspi_st *cqspi = dev_get_drvdata(dev); + struct spi_controller *host = dev_get_drvdata(dev); -On a given platform (Mobileye EyeQ5) the memory corruption is hidden -inside cqspi->f_pdata. Also, this uninitialised memory is used as a -mutex (ctlr->bus_lock_mutex) by spi_controller_suspend(). +This obviously cannot be correct, unless "struct cqspi_st" is the +first member of " struct spi_controller", or the other way around, but +it is not the case. "struct spi_controller" is allocated by +devm_spi_alloc_host(), which allocates an extra amount of memory for +private data, used to store "struct cqspi_st". + +The ->probe() function of the cadence-quadspi driver then sets the +device drvdata to store the address of the "struct cqspi_st" +structure. Therefore: + + struct cqspi_st *cqspi = dev_get_drvdata(dev); + +is correct, but: + + struct spi_controller *host = dev_get_drvdata(dev); + +is not, as it makes "host" point not to a "struct spi_controller" but +to the same "struct cqspi_st" structure as above. + +This obviously leads to bad things (memory corruption, kernel crashes) +directly during ->probe(), as ->probe() enables the device using PM +runtime, leading the ->runtime_resume() hook being called, which in +turns calls spi_controller_resume() with the wrong pointer. + +This has at least been reported [0] to cause a kernel crash, but the +exact behavior will depend on the memory contents. + +[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ + +This issue potentially affects all platforms that are currently using +the cadence-quadspi driver.