cve/published/2024/CVE-2024-26807.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26807: spi: cadence-qspi: fix pointer reference in runtime PM hooks

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
 implementations start with:

 	struct cqspi_st *cqspi = dev_get_drvdata(dev);
 	struct spi_controller *host = dev_get_drvdata(dev);

 This obviously cannot be correct, unless "struct cqspi_st" is the
 first member of " struct spi_controller", or the other way around, but
 it is not the case. "struct spi_controller" is allocated by
 devm_spi_alloc_host(), which allocates an extra amount of memory for
 private data, used to store "struct cqspi_st".

 The ->probe() function of the cadence-quadspi driver then sets the
 device drvdata to store the address of the "struct cqspi_st"
 structure. Therefore:

 	struct cqspi_st *cqspi = dev_get_drvdata(dev);

 is correct, but:

 	struct spi_controller *host = dev_get_drvdata(dev);

 is not, as it makes "host" point not to a "struct spi_controller" but
 to the same "struct cqspi_st" structure as above.

 This obviously leads to bad things (memory corruption, kernel crashes)
 directly during ->probe(), as ->probe() enables the device using PM
 runtime, leading the ->runtime_resume() hook being called, which in
 turns calls spi_controller_resume() with the wrong pointer.

 This has at least been reported [0] to cause a kernel crash, but the
 exact behavior will depend on the memory contents.

 [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/

 This issue potentially affects all platforms that are currently using
 the cadence-quadspi driver.

 The Linux kernel CVE team has assigned CVE-2024-26807 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.28 with commit 79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c and fixed in 6.1.140 with commit 2c914aac9522f6e93822c18dff233d3e92399c81
 	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.6.21 with commit 03f1573c9587029730ca68503f5062105b122f61
 	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.7.9 with commit 34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03
 	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.8 with commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc
 	Issue introduced in 4.19.283 with commit e3f9fc9a4f1499cc9e1bad4482d377494e367b3d
 	Issue introduced in 5.4.243 with commit 6716203844bc8489af5e5564f0fa31e0c094a7ff
 	Issue introduced in 5.10.180 with commit b24f1ecc8fe2ceefc14af02edb1744c246d87bf7
 	Issue introduced in 5.15.111 with commit d453f25faf681799d636fe9d6899ad91c45aa11e
 	Issue introduced in 6.2.15 with commit 18cb554e9da81bc4eca653c17a0d65e8b5835c09
 	Issue introduced in 6.3.2 with commit 1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26807
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/spi/spi-cadence-quadspi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2c914aac9522f6e93822c18dff233d3e92399c81
 	https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61
 	https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03
 	https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26807: spi: cadence-qspi: fix pointer reference in runtime PM hooks

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Both cadence-quadspi ->runtime_suspend() and ->runtime_resume()
	implementations start with:

	struct cqspi_st *cqspi = dev_get_drvdata(dev);
	struct spi_controller *host = dev_get_drvdata(dev);

	This obviously cannot be correct, unless "struct cqspi_st" is the
	first member of " struct spi_controller", or the other way around, but
	it is not the case. "struct spi_controller" is allocated by
	devm_spi_alloc_host(), which allocates an extra amount of memory for
	private data, used to store "struct cqspi_st".

	The ->probe() function of the cadence-quadspi driver then sets the
	device drvdata to store the address of the "struct cqspi_st"
	structure. Therefore:

	struct cqspi_st *cqspi = dev_get_drvdata(dev);

	is correct, but:

	struct spi_controller *host = dev_get_drvdata(dev);

	is not, as it makes "host" point not to a "struct spi_controller" but
	to the same "struct cqspi_st" structure as above.

	This obviously leads to bad things (memory corruption, kernel crashes)
	directly during ->probe(), as ->probe() enables the device using PM
	runtime, leading the ->runtime_resume() hook being called, which in
	turns calls spi_controller_resume() with the wrong pointer.

	This has at least been reported [0] to cause a kernel crash, but the
	exact behavior will depend on the memory contents.

	[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/

	This issue potentially affects all platforms that are currently using
	the cadence-quadspi driver.

	The Linux kernel CVE team has assigned CVE-2024-26807 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.28 with commit 79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c and fixed in 6.1.140 with commit 2c914aac9522f6e93822c18dff233d3e92399c81
	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.6.21 with commit 03f1573c9587029730ca68503f5062105b122f61
	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.7.9 with commit 34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03
	Issue introduced in 6.4 with commit 2087e85bb66ee3652dafe732bb9b9b896229eafc and fixed in 6.8 with commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc
	Issue introduced in 4.19.283 with commit e3f9fc9a4f1499cc9e1bad4482d377494e367b3d
	Issue introduced in 5.4.243 with commit 6716203844bc8489af5e5564f0fa31e0c094a7ff
	Issue introduced in 5.10.180 with commit b24f1ecc8fe2ceefc14af02edb1744c246d87bf7
	Issue introduced in 5.15.111 with commit d453f25faf681799d636fe9d6899ad91c45aa11e
	Issue introduced in 6.2.15 with commit 18cb554e9da81bc4eca653c17a0d65e8b5835c09
	Issue introduced in 6.3.2 with commit 1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26807
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/spi/spi-cadence-quadspi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2c914aac9522f6e93822c18dff233d3e92399c81
	https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61
	https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03
	https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc