A Linux kernel flaw CVE-2024-46693, recently addressed, impacted the soc: qcom: pmic_glink subsystem, causing potential null pointer dereferences during initialization. Security researcher Stephen Boyd was the first to report on this vulnerability, which could lead to NULL pointer dereference issues within the qcom SoC (System-on-Chip).

The vulnerability specifically affects the initialization of the following pmic_glink child drivers: altmode, battery manager, and usci. During initialization, a race condition could occur that triggers the protection domain notifier to fire and schedule work before the client registration completes setting up the local "client" pointer. This leads to a NULL pointer dereference, as the "client" pointer is accessed without being properly initialized.

To provide a better understanding of the issue, here's a code snippet that exemplifies the problem in the pmic_glink_ucsi_pdr_notify() function:

CPU                               CPU1
ucsi->client = NULL;
devm_pmic_glink_register_client()
client->pdr_notify(client->priv, pg->client_state)
pmic_glink_ucsi_pdr_notify()
schedule_work(&ucsi->register_work)
<schedule away>
                                pmic_glink_ucsi_register()
                                ucsi_register()
                                pmic_glink_ucsi_read_version()
                                pmic_glink_ucsi_read()
                                pmic_glink_ucsi_read()
                                pmic_glink_send(ucsi->client)
                                <client is NULL BAD>
ucsi->client = client // Too late!

The solution to this vulnerability involves splitting the allocation of the "client" object and its registration into two separate operations. This guarantees that the "client" pointer is allocated and set up before any work is scheduled, preventing NULL pointer dereference issues.

- Linux kernel commit addressing the issue: link
- The commit introducing the pd-mapper implementation which increased the likelihood of the issue: link

Exploit Details

The vulnerability lies in the potential race condition during initialization, which could lead to NULL pointer dereferences. Exploiting this vulnerability would depend on triggering the race condition in the affected pmic_glink child drivers. However, due to the specific sequence of events required and the limited scope, it is unlikely that an attacker could leverage this vulnerability for malicious purposes without a deep understanding of the target system's configuration and internals. This flaw is more likely to lead to undefined behavior or crashes in the affected drivers rather than direct exploitation by an attacker.

In conclusion, the Linux kernel vulnerability CVE-2024-46693 in the soc: qcom: pmic_glink subsystem has been resolved, making the underlying code less prone to NULL pointer dereferences and potential misbehavior. As the vulnerability has been addressed, users are encouraged to update their Linux kernel to the latest version to ensure their systems are protected from this issue.

Timeline

Published on: 09/13/2024 06:15:14 UTC
Last modified on: 09/13/2024 16:52:41 UTC