Google Git
Sign in
kernel / pub / scm / linux / security / vulns / 6fce47cde715809c31009f4848cbb3b2c1f16a2b
commit6fce47cde715809c31009f4848cbb3b2c1f16a2b[log] [tgz]
authorSasha Levin <sashal@kernel.org>Mon Jun 09 08:17:45 2025 -0400
committerSasha Levin <sashal@kernel.org>Mon Jun 09 08:17:45 2025 -0400
treed5f3394be1ade08a42c1bdd7e9f9934a3bee8065
parentb807559b691954ead9c19375ba5cf2d8ad373aad [diff]
CVE-2024-35943: Add .vulnerable file

The issue fixed by commit 5d7f58ee08434a33340f75ac7ac5071eea9673b3
addresses a missing NULL pointer check after a devm_kasprintf() call
that could lead to a kernel crash or undefined behavior.

Commit 58cbff023bfaeb by Tony Lindgren on 2020-07-02 introduced the
root cause of this issue. This commit added basic power domain support
to the OMAP PRM (Power and Reset Manager) driver.

In the omap_prm_domain_init() function, the original code introduced:

name = devm_kasprintf(dev, GFP_KERNEL, "prm_%s", data->name);
// No NULL check here\!
prmd->pd.name = name;  // Assigns potentially NULL pointer
// ...
pm_genpd_init(&prmd->pd, NULL, true);  // Uses pd.name internally

The chain of events leading to potential failure:

1. Memory Allocation Failure: devm_kasprintf() calls devm_kmalloc()
   internally to allocate memory. If the system is under memory
   pressure, this allocation can fail and return NULL.

2. NULL Assignment: Without checking the return value, the code assigns
   this potentially NULL pointer to prmd->pd.name.

3. Unsafe Usage in pm_genpd_init(): The pm_genpd_init() function uses
   genpd->name in two critical places:
   - For warning messages: pr_warn("%s: no governor for states\n",
     genpd->name);
   - For setting the device name: dev_set_name(&genpd->dev, "%s",
     genpd->name);

4. Kernel Crash Scenario: When dev_set_name() is called with a NULL
   name and the device doesn't already have a name, it eventually calls
   strchr(NULL, '%') in kvasprintf_const(), causing a NULL pointer
   dereference and kernel crash.

The fix in commit 5d7f58ee08434a33340f75ac7ac5071eea9673b3 is simple
but crucial - it adds a check that ensures if memory allocation fails,
the function returns an error instead of proceeding with a NULL pointer
that would cause a crash later.

The root underlying issue was introduced in commit 58cbff023bfaeb
("soc: ti: omap-prm: Add basic power domain support") on 2020-07-02,
where the code failed to check the return value of devm_kasprintf()
before using it, violating a fundamental rule of kernel programming:
always check for allocation failures. This created a potential NULL
pointer dereference path that could crash the kernel under memory
pressure conditions.

Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed
tree: d5f3394be1ade08a42c1bdd7e9f9934a3bee8065
  1. cve/
  2. form_letters/
  3. git_hooks/
  4. gsd/
  5. LICENSES/
  6. scripts/
  7. tmp/
  8. tools/
  9. .gitignore
  10. .gitmodules
  11. HOWTO
  12. justfile
  13. README