CVE-2024-57889 - Linux Kernel Vulnerability Resolved: "pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking"

A critical vulnerability (CVE-2024-57889) within the Linux kernel, specifically in the pinctrl: mcp23s08 component, has now been resolved, addressing issues with sleeping in atomic context due to regmap locking. The bug affects devices that utilize the MCP23xxx IO expander to receive IRQs.

Problem Encountered

During experimentation with a touchscreen driver that used the MCP23017 IO expander (I2C), the following bug was observed:

BUG: sleeping function called from invalid context
  at kernel/locking/mutex.c:283
in_atomic(): 1, irqs_disabled(): 1, non_block: , ...
preempt_count: 1, expected: 
...
Call Trace:
...
__might_resched+x104/x10e
__might_sleep+x3e/x62
mutex_lock+x20/x4c
regmap_lock_mutex+x10/x18
regmap_update_bits_base+x2c/x66
mcp23s08_irq_set_type+x1ae/x1d6
__irq_set_trigger+x56/x172
__setup_irq+x1e6/x646
request_threaded_irq+xb6/x160
...

The root cause of the issue is traced to the regmap, which uses a mutex for protection from concurrent access when certain parameters are not set (i.e., .fast_io, .disable_locking, etc.). mcp23s08_irq_set_type() calls regmap_update_bits_base() which, in turn, locks the mutex. However, __setup_irq() locks the spinlock desc->lock before calling these functions. As a result, the system attempts to lock the mutex while holding the spinlock, causing issues with sleeping in atomic context.

Solution

The fix involves adding locking in mcp_pinconf_get/set() and disabling internal locking in the regmap config. This effectively prevents the sleeping in atomic context issue while maintaining the necessary protection from concurrent access.

Original references and details about the vulnerability and the fix can be found here

- Linux kernel mailing list
- Kernel commit with the fix

Exploit Details

An exploit targeting this vulnerability could potentially cause abnormal behavior in devices utilizing the MCP23xxx IO expander to receive IRQs. Successful exploitation of this bug could lead to denial of service, data corruption, or even remote code execution in some cases.

As of now, there have been no known instances of exploits targeting this vulnerability in the wild. However, users are encouraged to promptly update their Linux kernel to mitigate any potential risks.

Timeline

Published on: 01/15/2025 13:15:13 UTC
Last modified on: 01/20/2025 06:28:57 UTC