cve/published/2024/CVE-2024-58084.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58084: firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()

 Commit 2e4955167ec5 ("firmware: qcom: scm: Fix __scm and waitq
 completion variable initialization") introduced a write barrier in probe
 function to store global '__scm' variable.  We all known barriers are
 paired (see memory-barriers.txt: "Note that write barriers should
 normally be paired with read or address-dependency barriers"), therefore
 accessing it from concurrent contexts requires read barrier.  Previous
 commit added such barrier in qcom_scm_is_available(), so let's use that
 directly.

 Lack of this read barrier can result in fetching stale '__scm' variable
 value, NULL, and dereferencing it.

 Note that barrier in qcom_scm_is_available() satisfies here the control
 dependency.

 The Linux kernel CVE team has assigned CVE-2024-58084 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.12.14 with commit fee921e3c641f64185abee83f9a6e65f0b380682
 	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.13.3 with commit e03db7c1255ebabba5e1a447754faeb138de15a2
 	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.14 with commit b628510397b5cafa1f5d3e848a28affd1c635302

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58084
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/firmware/qcom/qcom_scm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fee921e3c641f64185abee83f9a6e65f0b380682
 	https://git.kernel.org/stable/c/e03db7c1255ebabba5e1a447754faeb138de15a2
 	https://git.kernel.org/stable/c/b628510397b5cafa1f5d3e848a28affd1c635302
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58084: firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()

	Commit 2e4955167ec5 ("firmware: qcom: scm: Fix __scm and waitq
	completion variable initialization") introduced a write barrier in probe
	function to store global '__scm' variable. We all known barriers are
	paired (see memory-barriers.txt: "Note that write barriers should
	normally be paired with read or address-dependency barriers"), therefore
	accessing it from concurrent contexts requires read barrier. Previous
	commit added such barrier in qcom_scm_is_available(), so let's use that
	directly.

	Lack of this read barrier can result in fetching stale '__scm' variable
	value, NULL, and dereferencing it.

	Note that barrier in qcom_scm_is_available() satisfies here the control
	dependency.

	The Linux kernel CVE team has assigned CVE-2024-58084 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.12.14 with commit fee921e3c641f64185abee83f9a6e65f0b380682
	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.13.3 with commit e03db7c1255ebabba5e1a447754faeb138de15a2
	Issue introduced in 6.11 with commit 449d0d84bcd8246b508d07995326d13c54488b8c and fixed in 6.14 with commit b628510397b5cafa1f5d3e848a28affd1c635302

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58084
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/firmware/qcom/qcom_scm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fee921e3c641f64185abee83f9a6e65f0b380682
	https://git.kernel.org/stable/c/e03db7c1255ebabba5e1a447754faeb138de15a2
	https://git.kernel.org/stable/c/b628510397b5cafa1f5d3e848a28affd1c635302