A recent vulnerability, CVE-2024-26866, has been discovered and resolved in the Linux kernel. This vulnerability is specifically found in the fsl_lpspi_probe() function. The issue stems from how the Linux kernel allocates and disposes of memory manually using spi_alloc_host()/spi_alloc_target() functions, but then makes use of devm_spi_register_controller().

This issue can result in a NULL pointer dereference error and associated kernel panic when attempting to access an invalid memory address. In particular, the memory will be explicitly freed in the probe function by spi_controller_put() call but then used again by "devm" management outside probe() (spi_unregister_controller() <- devm_spi_unregister() below).

Here's a snippet of the buggy code for reference

...
spi_unregister_controller
devm_spi_unregister
release_nodes
devres_release_all
really_probe
driver_probe_device
__device_attach_driver
bus_for_each_drv
__device_attach
device_initial_probe
bus_probe_device
deferred_probe_work_func
process_one_work
worker_thread
kthread
ret_from_fork

In order to fix this vulnerability, changes have been made to handle the memory allocation and freeing appropriately, which ultimately avoids the potential use-after-free issue in probe() and prevents kernel panics from occurring.

For more details on the vulnerability and its fix, you can refer to the original commit on the Linux Kernel Mailing List (LKML) that addressed this issue: Linux Kernel Mailing List (LKML) Patch

It is advisable to stay up-to-date with the latest Linux kernel releases to ensure you have all security patches and vulnerability fixes. You can find all kernel releases on the Linux Kernel Archives.

Exploit Details

To exploit this vulnerability, an attacker would need to have local access to the target Linux system. After gaining access, the attacker could potentially craft a malicious SPI device that triggers the use-after-free issue in the spi: lpspi probe() function, leading to a kernel panic and potentially compromising system stability.

However, with the vulnerability now being resolved, the potential for exploitation has been significantly reduced. Systems running Linux kernels with the patch applied will no longer be susceptible to this particular use-after-free issue.

In conclusion, CVE-2024-26866 is a resolved vulnerability in the Linux kernel. It is crucial to continuously stay updated with the latest kernel releases and security patches to protect your system from potential exploits.

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 05/29/2024 05:24:08 UTC