CVE-2024-26876: Linux Kernel Vulnerability Patched: drm/bridge: adv7511: fixes crash on irq during probe

A Linux kernel vulnerability under the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-26876 has been identified and resolved. The vulnerability affected the Digital Rights Management (DRM) subsystem, specifically the drm/bridge: adv7511 module. This module is responsible for advanced High-Definition Multimedia Interface (HDMI) features available on many Linux devices, and the uncovered vulnerability could lead to system crashes.

This post includes the technical details of the issue, code snippets demonstrating the fix, and links to original references. The vulnerability is unique and exclusive to the mentioned Linux kernel component.

Details

The vulnerability was discovered in the Linux kernel's DRM subsystem, specifically within the drm/bridge: adv7511 module. The issue occurs during the probe function call (adv7511_probe()), which is an essential part of the initialization process for the adv7511 HDMI chip. The vulnerability lies with the possibility of a pending Interrupt Requests (IRQ) causing a crash by accessing uninitialized data related to the Consumer Electronics Control (CEC) features of HDMI.

Original references

1. Patchwork - drm/bridge: adv7511: fix crash on irq during probe
2. GitHub Linux Kernel Repository - drm/bridge: adv7511: fix crash on irq during probe

Code Snippet

The fix for this vulnerability involved moving the IRQ registration to the end of the adv7511_probe() function. Here is the code snippet demonstrating this change:

/* Original Code - Before the fix */
static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id)
{
...
    ret = adv7511_attach_cec(adv7511);
    if (ret) {
        DRM_ERROR("Failed to attach CEC\n");
        goto err_i2c_deregister;
    }

    ret = request_threaded_irq(adv7511->irq, NULL, adv7511_irq_handler, IRQF_ONESHOT, "adv7511", adv7511);
    if (ret) {
        DRM_ERROR("Failed to request IRQ\n");
        goto err_cec_adap;
    }
...
}

/* Fixed Code - After the patch */
static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id)
{
...
    ret = adv7511_attach_cec(adv7511);
    if (ret) {
        DRM_ERROR("Failed to attach CEC\n");
        goto err_i2c_deregister;
    }
...
    ret = request_threaded_irq(adv7511->irq, NULL, adv7511_irq_handler, IRQF_ONESHOT, "adv7511", adv7511);
    if (ret) {
        DRM_ERROR("Failed to request IRQ\n");
        goto err_cec_adap;
    }
}

The exploit could cause the kernel to crash with the following error message

Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5
Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
Call trace:
 cec_received_msg_ts+x48/x990 [cec]
 adv7511_cec_irq_process+x1cc/x308 [adv7511]
 adv7511_irq_process+xd8/x120 [adv7511]
 adv7511_irq_handler+x1c/x30 [adv7511]
 irq_thread_fn+x30/xa
 irq_thread+x14c/x238
 kthread+x190/x1a8

Conclusion

The CVE-2024-26876 vulnerability has been resolved in the Linux kernel by moving the IRQ registration to the end of the adv7511_probe() function. Users and developers should ensure their Linux kernel versions are up to date with this fix to avoid potential system crashes and issues related to HDMI CEC features.

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 05/29/2024 05:24:18 UTC