cve/published/2024/CVE-2024-26807.diff - pub/scm/linux/security/vulns - Git at Google

 From 4ec1bd5adb9f5def6cf401b587f8b61d9aef8750 Mon Sep 17 00:00:00 2001
 From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 Date: Mon, 13 May 2024 17:13:29 +0200
 Subject: [PATCH] CVE-2024-26807: improve description of the CVE

 The issue reported in CVE-2024-26807 was explained without sufficient
 details, and pointed to a particular platform family that in fact was
 not currently affected by CVE-2024-26807, as this platform family is
 currently not using the cadence-quadspi driver. This change proposes a
 more detailed and accurate description of the issue.

 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
  cve/published/2024/CVE-2024-26807.mbox | 41 ++++++++++++++++++++++----
  1 file changed, 35 insertions(+), 6 deletions(-)

 --- a/CVE-2024-26807.mbox
 +++ b/CVE-2024-26807.mbox
 @@ -1,10 +1,39 @@
  In the Linux kernel, the following vulnerability has been resolved:

 -spi: cadence-qspi: fix pointer reference in runtime PM hooks
 +Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
 +implementations start with:

 -dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
 -controller. Neither embed the other; this lead to memory corruption.
 +	struct cqspi_st *cqspi = dev_get_drvdata(dev);
 +	struct spi_controller *host = dev_get_drvdata(dev);

 -On a given platform (Mobileye EyeQ5) the memory corruption is hidden
 -inside cqspi->f_pdata. Also, this uninitialised memory is used as a
 -mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
 +This obviously cannot be correct, unless "struct cqspi_st" is the
 +first member of " struct spi_controller", or the other way around, but
 +it is not the case. "struct spi_controller" is allocated by
 +devm_spi_alloc_host(), which allocates an extra amount of memory for
 +private data, used to store "struct cqspi_st".
 +
 +The ->probe() function of the cadence-quadspi driver then sets the
 +device drvdata to store the address of the "struct cqspi_st"
 +structure. Therefore:
 +
 +	struct cqspi_st *cqspi = dev_get_drvdata(dev);
 +
 +is correct, but:
 +
 +	struct spi_controller *host = dev_get_drvdata(dev);
 +
 +is not, as it makes "host" point not to a "struct spi_controller" but
 +to the same "struct cqspi_st" structure as above.
 +
 +This obviously leads to bad things (memory corruption, kernel crashes)
 +directly during ->probe(), as ->probe() enables the device using PM
 +runtime, leading the ->runtime_resume() hook being called, which in
 +turns calls spi_controller_resume() with the wrong pointer.
 +
 +This has at least been reported [0] to cause a kernel crash, but the
 +exact behavior will depend on the memory contents.
 +
 +[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/
 +
 +This issue potentially affects all platforms that are currently using
 +the cadence-quadspi driver.
	From 4ec1bd5adb9f5def6cf401b587f8b61d9aef8750 Mon Sep 17 00:00:00 2001
	From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	Date: Mon, 13 May 2024 17:13:29 +0200
	Subject: [PATCH] CVE-2024-26807: improve description of the CVE

	The issue reported in CVE-2024-26807 was explained without sufficient
	details, and pointed to a particular platform family that in fact was
	not currently affected by CVE-2024-26807, as this platform family is
	currently not using the cadence-quadspi driver. This change proposes a
	more detailed and accurate description of the issue.

	Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	---
	cve/published/2024/CVE-2024-26807.mbox \| 41 ++++++++++++++++++++++----
	1 file changed, 35 insertions(+), 6 deletions(-)

	--- a/CVE-2024-26807.mbox
	+++ b/CVE-2024-26807.mbox
	@@ -1,10 +1,39 @@
	In the Linux kernel, the following vulnerability has been resolved:

	-spi: cadence-qspi: fix pointer reference in runtime PM hooks
	+Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
	+implementations start with:

	-dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
	-controller. Neither embed the other; this lead to memory corruption.
	+ struct cqspi_st *cqspi = dev_get_drvdata(dev);
	+ struct spi_controller *host = dev_get_drvdata(dev);

	-On a given platform (Mobileye EyeQ5) the memory corruption is hidden
	-inside cqspi->f_pdata. Also, this uninitialised memory is used as a
	-mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
	+This obviously cannot be correct, unless "struct cqspi_st" is the
	+first member of " struct spi_controller", or the other way around, but
	+it is not the case. "struct spi_controller" is allocated by
	+devm_spi_alloc_host(), which allocates an extra amount of memory for
	+private data, used to store "struct cqspi_st".
	+
	+The ->probe() function of the cadence-quadspi driver then sets the
	+device drvdata to store the address of the "struct cqspi_st"
	+structure. Therefore:
	+
	+ struct cqspi_st *cqspi = dev_get_drvdata(dev);
	+
	+is correct, but:
	+
	+ struct spi_controller *host = dev_get_drvdata(dev);
	+
	+is not, as it makes "host" point not to a "struct spi_controller" but
	+to the same "struct cqspi_st" structure as above.
	+
	+This obviously leads to bad things (memory corruption, kernel crashes)
	+directly during ->probe(), as ->probe() enables the device using PM
	+runtime, leading the ->runtime_resume() hook being called, which in
	+turns calls spi_controller_resume() with the wrong pointer.
	+
	+This has at least been reported [0] to cause a kernel crash, but the
	+exact behavior will depend on the memory contents.
	+
	+[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/
	+
	+This issue potentially affects all platforms that are currently using
	+the cadence-quadspi driver.