cve/published/2024/CVE-2024-36930.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36930: spi: fix null pointer dereference within spi_sync

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 spi: fix null pointer dereference within spi_sync

 If spi_sync() is called with the non-empty queue and the same spi_message
 is then reused, the complete callback for the message remains set while
 the context is cleared, leading to a null pointer dereference when the
 callback is invoked from spi_finalize_current_message().

 With function inlining disabled, the call stack might look like this:

   _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58
   complete_with_flags from spi_complete+0x8/0xc
   spi_complete from spi_finalize_current_message+0xec/0x184
   spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474
   spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230
   __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4
   __spi_transfer_message_noqueue from __spi_sync+0x204/0x248
   __spi_sync from spi_sync+0x24/0x3c
   spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]
   mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154
   _regmap_raw_read from _regmap_bus_read+0x44/0x70
   _regmap_bus_read from _regmap_read+0x60/0xd8
   _regmap_read from regmap_read+0x3c/0x5c
   regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]
   mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]
   mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78
   irq_thread_fn from irq_thread+0x118/0x1f4
   irq_thread from kthread+0xd8/0xf4
   kthread from ret_from_fork+0x14/0x28

 Fix this by also setting message->complete to NULL when the transfer is
 complete.

 The Linux kernel CVE team has assigned CVE-2024-36930 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.1.91 with commit e005d6754e3e440257006795b687c4ad8733b493
 	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.6.31 with commit a30659f1576d2c8e62e7426232bb18b885fd951a
 	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.8.10 with commit 2070d008cc08bff50a58f0f4d30f12d3ebf94c00
 	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.9 with commit 4756fa529b2f12b7cb8f21fe229b0f6f47190829

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36930
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/spi/spi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e005d6754e3e440257006795b687c4ad8733b493
 	https://git.kernel.org/stable/c/a30659f1576d2c8e62e7426232bb18b885fd951a
 	https://git.kernel.org/stable/c/2070d008cc08bff50a58f0f4d30f12d3ebf94c00
 	https://git.kernel.org/stable/c/4756fa529b2f12b7cb8f21fe229b0f6f47190829
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36930: spi: fix null pointer dereference within spi_sync

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	spi: fix null pointer dereference within spi_sync

	If spi_sync() is called with the non-empty queue and the same spi_message
	is then reused, the complete callback for the message remains set while
	the context is cleared, leading to a null pointer dereference when the
	callback is invoked from spi_finalize_current_message().

	With function inlining disabled, the call stack might look like this:

	_raw_spin_lock_irqsave from complete_with_flags+0x18/0x58
	complete_with_flags from spi_complete+0x8/0xc
	spi_complete from spi_finalize_current_message+0xec/0x184
	spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474
	spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230
	__spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4
	__spi_transfer_message_noqueue from __spi_sync+0x204/0x248
	__spi_sync from spi_sync+0x24/0x3c
	spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]
	mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154
	_regmap_raw_read from _regmap_bus_read+0x44/0x70
	_regmap_bus_read from _regmap_read+0x60/0xd8
	_regmap_read from regmap_read+0x3c/0x5c
	regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]
	mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]
	mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78
	irq_thread_fn from irq_thread+0x118/0x1f4
	irq_thread from kthread+0xd8/0xf4
	kthread from ret_from_fork+0x14/0x28

	Fix this by also setting message->complete to NULL when the transfer is
	complete.

	The Linux kernel CVE team has assigned CVE-2024-36930 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.1.91 with commit e005d6754e3e440257006795b687c4ad8733b493
	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.6.31 with commit a30659f1576d2c8e62e7426232bb18b885fd951a
	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.8.10 with commit 2070d008cc08bff50a58f0f4d30f12d3ebf94c00
	Issue introduced in 6.0 with commit ae7d2346dc89ae89a6e0aabe6037591a11e593c0 and fixed in 6.9 with commit 4756fa529b2f12b7cb8f21fe229b0f6f47190829

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36930
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/spi/spi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e005d6754e3e440257006795b687c4ad8733b493
	https://git.kernel.org/stable/c/a30659f1576d2c8e62e7426232bb18b885fd951a
	https://git.kernel.org/stable/c/2070d008cc08bff50a58f0f4d30f12d3ebf94c00
	https://git.kernel.org/stable/c/4756fa529b2f12b7cb8f21fe229b0f6f47190829