cve/published/2024/CVE-2024-50104.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50104: ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

 During the migration of Soundwire runtime stream allocation from
 the Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845
 soundcard was forgotten.

 At this point any playback attempt or audio daemon startup, for instance
 on sdm845-db845c (Qualcomm RB3 board), will result in stream pointer
 NULL dereference:

  Unable to handle kernel NULL pointer dereference at virtual
  address 0000000000000020
  Mem abort info:
    ESR = 0x0000000096000004
    EC = 0x25: DABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
    FSC = 0x04: level 0 translation fault
  Data abort info:
    ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
  user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000
  [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
  Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
  Modules linked in: ...
  CPU: 5 UID: 0 PID: 1198 Comm: aplay
  Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18
  Hardware name: Thundercomm Dragonboard 845c (DT)
  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
  lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
  sp : ffff80008a2035c0
  x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000
  x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800
  x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003
  x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000
  x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000
  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
  x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
  x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec
  x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003
  x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8
  Call trace:
   sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
   wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]
   snd_soc_dai_hw_params+0x3c/0xa4
   __soc_pcm_hw_params+0x230/0x660
   dpcm_be_dai_hw_params+0x1d0/0x3f8
   dpcm_fe_dai_hw_params+0x98/0x268
   snd_pcm_hw_params+0x124/0x460
   snd_pcm_common_ioctl+0x998/0x16e8
   snd_pcm_ioctl+0x34/0x58
   __arm64_sys_ioctl+0xac/0xf8
   invoke_syscall+0x48/0x104
   el0_svc_common.constprop.0+0x40/0xe0
   do_el0_svc+0x1c/0x28
   el0_svc+0x34/0xe0
   el0t_64_sync_handler+0x120/0x12c
   el0t_64_sync+0x190/0x194
  Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)
  ---[ end trace 0000000000000000 ]---

 0000000000006108 <sdw_stream_add_slave>:
     6108:       d503233f        paciasp
     610c:       a9b97bfd        stp     x29, x30, [sp, #-112]!
     6110:       910003fd        mov     x29, sp
     6114:       a90153f3        stp     x19, x20, [sp, #16]
     6118:       a9025bf5        stp     x21, x22, [sp, #32]
     611c:       aa0103f6        mov     x22, x1
     6120:       2a0303f5        mov     w21, w3
     6124:       a90363f7        stp     x23, x24, [sp, #48]
     6128:       aa0003f8        mov     x24, x0
     612c:       aa0203f7        mov     x23, x2
     6130:       a9046bf9        stp     x25, x26, [sp, #64]
     6134:       aa0403f9        mov     x25, x4        <-- x4 copied to x25
     6138:       a90573fb        stp     x27, x28, [sp, #80]
     613c:       aa0403fb        mov     x27, x4
     6140:       f9418400        ldr     x0, [x0, #776]
     6144:       9100e000        add     x0, x0, #0x38
     6148:       94000000        bl      0 <mutex_lock>
     614c:       f8420f22        ldr     x2, [x25, #32]!  <-- offset 0x44
     ^^^
 This is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()
 where data abort happens.
 wsa881x_hw_params() is called with stream = NULL and passes it further
 in register x4 (5th argument) to sdw_stream_add_slave() without any checks.
 Value from x4 is copied to x25 and finally it aborts on trying to load
 a value from address in x25 plus offset 32 (in dec) which corresponds
 to master_list member in struct sdw_stream_runtime:

 struct sdw_stream_runtime {
         const char  *              name;	/*     0     8 */
         struct sdw_stream_params   params;	/*     8    12 */
         enum sdw_stream_state      state;	/*    20     4 */
         enum sdw_stream_type       type;	/*    24     4 */
         /* XXX 4 bytes hole, try to pack */
  here-> struct list_head           master_list;	/*    32    16 */
         int                        m_rt_count;	/*    48     4 */
         /* size: 56, cachelines: 1, members: 6 */
         /* sum members: 48, holes: 1, sum holes: 4 */
         /* padding: 4 */
         /* last cacheline: 56 bytes */

 Fix this by adding required calls to qcom_snd_sdw_startup() and
 sdw_release_stream() to startup and shutdown routines which restores
 the previous correct behaviour when ->set_stream() method is called to
 set a valid stream runtime pointer on playback startup.

 Reproduced and then fix was tested on db845c RB3 board.

 The Linux kernel CVE team has assigned CVE-2024-50104 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 15c7fab0e0477d7d7185eac574ca43c15b59b015 and fixed in 6.11.6 with commit fc34d36879f87e5a3813fb66655b8bdb90c7b0d8
 	Issue introduced in 6.8 with commit 15c7fab0e0477d7d7185eac574ca43c15b59b015 and fixed in 6.12 with commit d0e806b0cc6260b59c65e606034a63145169c04c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50104
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	sound/soc/qcom/sdm845.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fc34d36879f87e5a3813fb66655b8bdb90c7b0d8
 	https://git.kernel.org/stable/c/d0e806b0cc6260b59c65e606034a63145169c04c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50104: ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

	During the migration of Soundwire runtime stream allocation from
	the Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845
	soundcard was forgotten.

	At this point any playback attempt or audio daemon startup, for instance
	on sdm845-db845c (Qualcomm RB3 board), will result in stream pointer
	NULL dereference:

	Unable to handle kernel NULL pointer dereference at virtual
	address 0000000000000020
	Mem abort info:
	ESR = 0x0000000096000004
	EC = 0x25: DABT (current EL), IL = 32 bits
	SET = 0, FnV = 0
	EA = 0, S1PTW = 0
	FSC = 0x04: level 0 translation fault
	Data abort info:
	ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
	CM = 0, WnR = 0, TnD = 0, TagAccess = 0
	GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
	user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000
	[0000000000000020] pgd=0000000000000000, p4d=0000000000000000
	Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
	Modules linked in: ...
	CPU: 5 UID: 0 PID: 1198 Comm: aplay
	Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18
	Hardware name: Thundercomm Dragonboard 845c (DT)
	pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
	lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
	sp : ffff80008a2035c0
	x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000
	x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800
	x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003
	x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000
	x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000
	x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
	x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
	x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec
	x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003
	x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8
	Call trace:
	sdw_stream_add_slave+0x44/0x380 [soundwire_bus]
	wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]
	snd_soc_dai_hw_params+0x3c/0xa4
	__soc_pcm_hw_params+0x230/0x660
	dpcm_be_dai_hw_params+0x1d0/0x3f8
	dpcm_fe_dai_hw_params+0x98/0x268
	snd_pcm_hw_params+0x124/0x460
	snd_pcm_common_ioctl+0x998/0x16e8
	snd_pcm_ioctl+0x34/0x58
	__arm64_sys_ioctl+0xac/0xf8
	invoke_syscall+0x48/0x104
	el0_svc_common.constprop.0+0x40/0xe0
	do_el0_svc+0x1c/0x28
	el0_svc+0x34/0xe0
	el0t_64_sync_handler+0x120/0x12c
	el0t_64_sync+0x190/0x194
	Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)
	---[ end trace 0000000000000000 ]---

	0000000000006108 <sdw_stream_add_slave>:
	6108: d503233f paciasp
	610c: a9b97bfd stp x29, x30, [sp, #-112]!
	6110: 910003fd mov x29, sp
	6114: a90153f3 stp x19, x20, [sp, #16]
	6118: a9025bf5 stp x21, x22, [sp, #32]
	611c: aa0103f6 mov x22, x1
	6120: 2a0303f5 mov w21, w3
	6124: a90363f7 stp x23, x24, [sp, #48]
	6128: aa0003f8 mov x24, x0
	612c: aa0203f7 mov x23, x2
	6130: a9046bf9 stp x25, x26, [sp, #64]
	6134: aa0403f9 mov x25, x4 <-- x4 copied to x25
	6138: a90573fb stp x27, x28, [sp, #80]
	613c: aa0403fb mov x27, x4
	6140: f9418400 ldr x0, [x0, #776]
	6144: 9100e000 add x0, x0, #0x38
	6148: 94000000 bl 0 <mutex_lock>
	614c: f8420f22 ldr x2, [x25, #32]! <-- offset 0x44
	^^^
	This is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()
	where data abort happens.
	wsa881x_hw_params() is called with stream = NULL and passes it further
	in register x4 (5th argument) to sdw_stream_add_slave() without any checks.
	Value from x4 is copied to x25 and finally it aborts on trying to load
	a value from address in x25 plus offset 32 (in dec) which corresponds
	to master_list member in struct sdw_stream_runtime:

	struct sdw_stream_runtime {
	const char * name; /* 0 8 */
	struct sdw_stream_params params; /* 8 12 */
	enum sdw_stream_state state; /* 20 4 */
	enum sdw_stream_type type; /* 24 4 */
	/* XXX 4 bytes hole, try to pack */
	here-> struct list_head master_list; /* 32 16 */
	int m_rt_count; /* 48 4 */
	/* size: 56, cachelines: 1, members: 6 */
	/* sum members: 48, holes: 1, sum holes: 4 */
	/* padding: 4 */
	/* last cacheline: 56 bytes */

	Fix this by adding required calls to qcom_snd_sdw_startup() and
	sdw_release_stream() to startup and shutdown routines which restores
	the previous correct behaviour when ->set_stream() method is called to
	set a valid stream runtime pointer on playback startup.

	Reproduced and then fix was tested on db845c RB3 board.

	The Linux kernel CVE team has assigned CVE-2024-50104 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 15c7fab0e0477d7d7185eac574ca43c15b59b015 and fixed in 6.11.6 with commit fc34d36879f87e5a3813fb66655b8bdb90c7b0d8
	Issue introduced in 6.8 with commit 15c7fab0e0477d7d7185eac574ca43c15b59b015 and fixed in 6.12 with commit d0e806b0cc6260b59c65e606034a63145169c04c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50104
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	sound/soc/qcom/sdm845.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fc34d36879f87e5a3813fb66655b8bdb90c7b0d8
	https://git.kernel.org/stable/c/d0e806b0cc6260b59c65e606034a63145169c04c