Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-53157.mbox
blob: 7b9694bb0351d24d26fc227d8ab2f014e8ae9949 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-53157: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
Fix a kernel crash with the below call trace when the SCPI firmware
returns OPP count of zero.
dvfs_info.opp_count may be zero on some platforms during the reboot
test, and the kernel will crash after dereferencing the pointer to
kcalloc(info->count, sizeof(*opp), GFP_KERNEL).
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
| Mem abort info:
| ESR = 0x96000004
| Exception class = DABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| Data abort info:
| ISV = 0, ISS = 0x00000004
| CM = 0, WnR = 0
| user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c
| [0000000000000028] pgd=0000000000000000
| Internal error: Oops: 96000004 [#1] SMP
| scpi-hwmon: probe of PHYT000D:00 failed with error -110
| Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c)
| CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1
| Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS
| pstate: 60000005 (nZCv daif -PAN -UAO)
| pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
| lr : clk_register+0x438/0x720
| Call trace:
| scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
| devm_clk_hw_register+0x50/0xa0
| scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi]
| scpi_clocks_probe+0x528/0x70c [clk_scpi]
| platform_drv_probe+0x58/0xa8
| really_probe+0x260/0x3d0
| driver_probe_device+0x12c/0x148
| device_driver_attach+0x74/0x98
| __driver_attach+0xb4/0xe8
| bus_for_each_dev+0x88/0xe0
| driver_attach+0x30/0x40
| bus_add_driver+0x178/0x2b0
| driver_register+0x64/0x118
| __platform_driver_register+0x54/0x60
| scpi_clocks_driver_init+0x24/0x1000 [clk_scpi]
| do_one_initcall+0x54/0x220
| do_init_module+0x54/0x1c8
| load_module+0x14a4/0x1668
| __se_sys_finit_module+0xf8/0x110
| __arm64_sys_finit_module+0x24/0x30
| el0_svc_common+0x78/0x170
| el0_svc_handler+0x38/0x78
| el0_svc+0x8/0x340
| Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820)
| ---[ end trace 06feb22469d89fa8 ]---
| Kernel panic - not syncing: Fatal exception
| SMP: stopping secondary CPUs
| Kernel Offset: disabled
| CPU features: 0x10,a0002008
| Memory Limit: none
The Linux kernel CVE team has assigned CVE-2024-53157 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 4.19.325 with commit 12e2c520a0a4202575e4a45ea41f06a8e9aa3417
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.4.287 with commit 8be4e51f3ecfb0915e3510b600c4cce0dc68a383
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.10.231 with commit 380c0e1d96f3b522f3170c18ee5e0f1a28fec5d6
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.15.174 with commit 2a5b8de6fcb944f9af0c5fcb30bb0c039705e051
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.1.120 with commit 06258e57fee253f4046d3a6a86d7fde09f596eac
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.6.64 with commit 025067eeb945aa17c7dd483a63960125b7efb577
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.11.11 with commit dfc9c2aa7f04f7db7e7225a5e118a24bf1c3b325
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.12.2 with commit 9beaff47bcea5eec7d4ead98f5043057161fd71a
Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.13 with commit 109aa654f85c5141e813b2cd1bd36d90be678407
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-53157
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/firmware/arm_scpi.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/12e2c520a0a4202575e4a45ea41f06a8e9aa3417
https://git.kernel.org/stable/c/8be4e51f3ecfb0915e3510b600c4cce0dc68a383
https://git.kernel.org/stable/c/380c0e1d96f3b522f3170c18ee5e0f1a28fec5d6
https://git.kernel.org/stable/c/2a5b8de6fcb944f9af0c5fcb30bb0c039705e051
https://git.kernel.org/stable/c/06258e57fee253f4046d3a6a86d7fde09f596eac
https://git.kernel.org/stable/c/025067eeb945aa17c7dd483a63960125b7efb577
https://git.kernel.org/stable/c/dfc9c2aa7f04f7db7e7225a5e118a24bf1c3b325
https://git.kernel.org/stable/c/9beaff47bcea5eec7d4ead98f5043057161fd71a
https://git.kernel.org/stable/c/109aa654f85c5141e813b2cd1bd36d90be678407