1225830 – (CVE-2024-36930) VUL-0: CVE-2024-36930: kernel: spi: fix null pointer dereference within spi_sync

Bug 1225830 (CVE-2024-36930) - VUL-0: CVE-2024-36930: kernel: spi: fix null pointer dereference within spi_sync

Summary: VUL-0: CVE-2024-36930: kernel: spi: fix null pointer dereference within spi_sync

Status:	RESOLVED FIXED

Alias:	CVE-2024-36930

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/408213/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-03 12:17 UTC by SMASH SMASH
Modified:	2024-06-06 10:10 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-06-03 12:17:55 UTC

In the Linux kernel, the following vulnerability has been resolved:

spi: fix null pointer dereference within spi_sync

If spi_sync() is called with the non-empty queue and the same spi_message
is then reused, the complete callback for the message remains set while
the context is cleared, leading to a null pointer dereference when the
callback is invoked from spi_finalize_current_message().

With function inlining disabled, the call stack might look like this:

  _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58
  complete_with_flags from spi_complete+0x8/0xc
  spi_complete from spi_finalize_current_message+0xec/0x184
  spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474
  spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230
  __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4
  __spi_transfer_message_noqueue from __spi_sync+0x204/0x248
  __spi_sync from spi_sync+0x24/0x3c
  spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]
  mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154
  _regmap_raw_read from _regmap_bus_read+0x44/0x70
  _regmap_bus_read from _regmap_read+0x60/0xd8
  _regmap_read from regmap_read+0x3c/0x5c
  regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]
  mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]
  mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78
  irq_thread_fn from irq_thread+0x118/0x1f4
  irq_thread from kthread+0xd8/0xf4
  kthread from ret_from_fork+0x14/0x28

Fix this by also setting message->complete to NULL when the transfer is
complete.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36930
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-36930.mbox
https://git.kernel.org/stable/c/e005d6754e3e440257006795b687c4ad8733b493
https://git.kernel.org/stable/c/a30659f1576d2c8e62e7426232bb18b885fd951a
https://git.kernel.org/stable/c/2070d008cc08bff50a58f0f4d30f12d3ebf94c00
https://git.kernel.org/stable/c/4756fa529b2f12b7cb8f21fe229b0f6f47190829
https://www.cve.org/CVERecord?id=CVE-2024-36930

Comment 1 Miroslav Franc 2024-06-06 09:39:32 UTC

The fix is in all relevant branches.  Switching back to the security team.

Comment 3 Andrea Mattiazzo 2024-06-06 10:10:15 UTC

All done, closing.