CVE-2024-36930 - Linux Kernel Vulnerability Resolved: Spi Null Pointer Dereference Issue Within Spi_Sync

A vulnerability in the Linux kernel has been resolved by fixing a null pointer dereference within spi_sync(). This vulnerability, identified as CVE-2024-36930, could potentially cause a system crash or other issues. This post will provide a detailed explanation of the vulnerability, its resolution, and links to original references.

spi: fix null pointer dereference within spi_sync

If spi_sync() is called with the non-empty queue and the same spi_message is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spi_finalize_current_message().

With function inlining disabled, the call stack might look like this

  _raw_spin_lock_irqsave from complete_with_flags+x18/x58
  complete_with_flags from spi_complete+x8/xc
  spi_complete from spi_finalize_current_message+xec/x184
  spi_finalize_current_message from spi_transfer_one_message+x2a8/x474
  spi_transfer_one_message from __spi_pump_transfer_message+x104/x230
  __spi_pump_transfer_message from __spi_transfer_message_noqueue+x30/xc4
  __spi_transfer_message_noqueue from __spi_sync+x204/x248
  __spi_sync from spi_sync+x24/x3c
  spi_sync from mcp251xfd_regmap_crc_read+x124/x28c [mcp251xfd]
  mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+xf8/x154
  _regmap_raw_read from _regmap_bus_read+x44/x70
  _regmap_bus_read from _regmap_read+x60/xd8
  _regmap_read from regmap_read+x3c/x5c
  regmap_read from mcp251xfd_alloc_can_err_skb+x1c/x54 [mcp251xfd]
  mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+x194/xe70 [mcp251xfd]
  mcp251xfd_irq [mcp251xfd] from irq_thread_fn+x1c/x78
  irq_thread_fn from irq_thread+x118/x1f4
  irq_thread from kthread+xd8/xf4
  kthread from ret_from_fork+x14/x28

The fix for this vulnerability involves setting message->complete to NULL when the transfer is complete.

The following patches have been developed and applied to resolve the vulnerability

- spi: fix null pointer dereference within spi_sync
- spi: spi_sync: fix a NULL pointer dereference

To ensure the security of your Linux systems, it is recommended to update the kernel to the latest version that includes these patches.

Original References

- Linux kernel mailing list
- CVE-2024-36930: Linux Kernel Spi Fix

Exploit details

There are currently no known exploits for this vulnerability. However, it is always wise to patch and update your systems as soon as possible to prevent potential future attacks.

Timeline

Published on: 05/30/2024 16:15:16 UTC
Last modified on: 06/10/2024 19:20:48 UTC