Google Git
Sign in
kernel / pub / scm / linux / security / vulns / 8b9ff27f781deb188a74e9797e026969cc76c38b
commit8b9ff27f781deb188a74e9797e026969cc76c38b[log] [tgz]
authorSasha Levin <sashal@kernel.org>Mon Jun 09 08:21:10 2025 -0400
committerSasha Levin <sashal@kernel.org>Mon Jun 09 08:21:10 2025 -0400
tree6ab5e3cb0c49d11220e824066f7cc6f022c79a6a
parent6fce47cde715809c31009f4848cbb3b2c1f16a2b [diff]
CVE-2024-56785: Add .vulnerable file

The root cause was introduced in commit
24af105962c8004edb9f5bf84bc587cbb30e52de (July 9, 2020) by Jiaxun Yang,
which initially created the arch/mips/boot/dts/loongson/ls7a-pch.dtsi
file.

Technical Analysis of the Root Cause:

1. Incorrect node naming: The PCIe bridge nodes were named
   pci_bridge@X,0 instead of the correct pcie@X,0. According to Device
   Tree conventions, PCIe ports should use the "pcie" node name.

2. Missing critical PCI bridge properties: The PCIe bridge nodes lacked
   essential properties required for proper PCI bridge operation:
   - #address-cells = <3> - Required for PCI address translation
   - #size-cells = <2> - Required for PCI size specification
   - device_type = "pci" - Required to identify the node as a PCI bus
   - ranges - Required for address translation between parent and child
     address spaces

3. Incorrect interrupt cell configuration: The parent PCI node had
   #interrupt-cells = <2> which was incorrect for this configuration and
   caused dtc warnings about the node not being an interrupt provider.

Chain of Events:

1. July 2020: Commit 24af105962c80 introduced the ls7a-pch.dtsi file
   with these structural issues in the PCIe bridge definitions.

2. March 2021: A similar issue existed in the ls2k DTS file
   (loongson64-2k1000.dtsi), introduced in commit b1a792601f264.

3. May 2024: Commit d89a415ff8d5 fixed the issue for ls2k devices but
   had a misleading commit subject that claimed to fix ls7a (it only
   fixed loongson64-2k1000.dtsi).

4. November 2024: Commit 045b14ca5c36 added stricter warnings in the OF
   core code for missing #address-cells/#size-cells, which exposed the
   latent issues more prominently at runtime.

5. November 2024: Finally, commit 4fbd66d8254c properly fixed the ls7a
   issues that had been present since the file's introduction.

The bug remained latent for over 4 years because:
- The missing properties didn't cause immediate failures but resulted
  in warnings
- The Device Tree compiler (dtc) warnings were likely ignored or not
  prominent enough
- The runtime impact was minimal until stricter OF validation was added
- There was confusion between ls2k and ls7a fixes (as evidenced by the
  misleading commit message in d89a415ff8d5)

This is a classic example of how Device Tree specification violations
can persist for years until stricter validation exposes them, and how
misleading commit messages can cause confusion about what was actually
fixed.

Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed
tree: 6ab5e3cb0c49d11220e824066f7cc6f022c79a6a
  1. cve/
  2. form_letters/
  3. git_hooks/
  4. gsd/
  5. LICENSES/
  6. scripts/
  7. tmp/
  8. tools/
  9. .gitignore
  10. .gitmodules
  11. HOWTO
  12. justfile
  13. README