We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-26807

spi: cadence-qspi: fix pointer reference in runtime PM hooks



AssignerLinux
Reserved2024-02-19
Published2024-04-04
Updated2024-11-05

Description

In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller *host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

Product status

Default status
unaffected

2087e85bb66e before 03f1573c9587
affected

2087e85bb66e before 34e1d5c4407c
affected

2087e85bb66e before 32ce3bb57b6b
affected

Default status
affected

6.4
affected

Any version before 6.4
unaffected

6.6.21
unaffected

6.7.9
unaffected

6.8
unaffected

References

https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61

https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03

https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc

cve.org CVE-2024-26807

nvd.nist.gov CVE-2024-26807

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-26807
Subscribe to our newsletter to learn more about our work.