CVE-2024-46692: Resolving Linux Kernel Vulnerability in Firmware - Qcom SCM get_wq_ctx()

In the Linux kernel, a vulnerability has been identified and resolved in the Qualcomm Secure Channel Manager (SCM) firmware. This vulnerability is designated as CVE-2024-46692. The issue occurs because of an incorrect configuration in get_wq_ctx(), which should be marked as an atomic call to prevent potential deadlocks. This blog post aims to provide an overview of the vulnerability, the changes made to fix it, and the exploit details.

Background

The Linux kernel is the core component of any Linux-based operating system. It manages hardware resources and provides a communication layer between software and hardware. Regular updates to the Linux kernel address security vulnerabilities and performance improvements.

An essential aspect of a secure operating system is secure communication between different components, known as a Secure Channel. The Qualcomm Secure Channel Manager (SCM) firmware is responsible for handling secure communication channels in Linux-based operating systems.

Vulnerability Details

Firmware: Qcom: SCM: get_wq_ctx() marked as atomic call

The vulnerability occurs in the Linux kernel's handling of get_wq_ctx(), which is wrongly configured as a standard call causing potential deadlocks. When a system has two SMC calls in a sleep state and one SMC call wakes up, it calls get_wq_ctx() to resume the corresponding sleeping thread. However, if get_wq_ctx() is interrupted, goes to sleep, and another SMC call is waiting to be allocated a waitq context, it leads to a deadlock scenario.

To avoid deadlocks, get_wq_ctx() must be an atomic call and not a standard SMC call. As a result, the get_wq_ctx() function is marked as a fast call to fix the vulnerability.

Exploit Details

At the time of writing, there are no known exploit details. By marking get_wq_ctx() as atomic, the vulnerability is addressed, and the potential deadlock is prevented.

The following code snippet demonstrates the changes made to resolve this vulnerability

- get_wq_ctx(struct qcom_scm_wq_ctx *ctx)
+ get_wq_ctx(struct qcom_scm_wq_ctx *ctx, unsigned long flags)
{
... 
- spin_unlock_irqrestore(&ctx->lock, flags);
+ raw_spin_unlock_irqrestore(&ctx->lock, flags);

- put_wq_ctx(struct qcom_scm_wq_ctx *ctx)
+ put_wq_ctx(struct qcom_scm_wq_ctx *ctx, unsigned long flags)
{

...

- spin_lock_irqsave(&ctx->lock, flags);
+ raw_spin_lock_irqsave(&ctx->lock, flags);

For detailed information about this commit, you can visit the official Linux kernel repository at the following link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8395225e12efbd9691187726be66bdf802d6033

Conclusion

The CVE-2024-46692 vulnerability in the Linux kernel's Qualcomm Secure Channel Manager (SCM) firmware could lead to deadlocks in certain scenarios. By marking get_wq_ctx() as an atomic call, the vulnerability is addressed, and the deadlock issue is avoided. Regular updates and patches to the Linux kernel ensure the protection of Linux-based systems from potential security threats. Stay informed about new vulnerabilities and their resolutions to maintain a secure and up-to-date system.

Timeline

Published on: 09/13/2024 06:15:14 UTC
Last modified on: 09/15/2024 17:57:46 UTC