CVE-2024-36930 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

spi: fix null pointer dereference within spi_sync

If spi_sync() is called with the non-empty queue and the same spi_message is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spi_finalize_current_message().

With function inlining disabled, the call stack might look like this:

_raw_spin_lock_irqsave from complete_with_flags+0x18/0x58 complete_with_flags from spi_complete+0x8/0xc spi_complete from spi_finalize_current_message+0xec/0x184 spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474 spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230 __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4 __spi_transfer_message_noqueue from __spi_sync+0x204/0x248 __spi_sync from spi_sync+0x24/0x3c spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]
mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154
_regmap_raw_read from _regmap_bus_read+0x44/0x70 _regmap_bus_read from _regmap_read+0x60/0xd8 _regmap_read from regmap_read+0x3c/0x5c regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]
mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]
mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78
irq_thread_fn from irq_thread+0x118/0x1f4 irq_thread from kthread+0xd8/0xf4 kthread from ret_from_fork+0x14/0x28

Fix this by also setting message->complete to NULL when the transfer is complete.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/30/2024

The vulnerability identified as CVE-2024-36930 resides within the Linux kernel's SPI subsystem, specifically in the spi_sync function implementation. This flaw represents a critical null pointer dereference condition that can lead to system instability and potential denial of service. The issue manifests when spi_sync() is invoked with a non-empty transfer queue containing the same spi_message structure that has already been processed. The root cause lies in the improper handling of message completion callbacks during the transfer lifecycle, where the completion context is cleared while the callback pointer remains intact, creating a scenario where a null pointer dereference occurs upon callback invocation.

The technical implementation of this vulnerability involves a complex call stack that demonstrates how the kernel's SPI message processing can fail when message reuse occurs within the same transfer queue. During the spi_finalize_current_message() function execution, the system attempts to invoke the message's completion callback, but due to the incomplete cleanup of message state, this callback points to a null address. This condition is particularly dangerous because it occurs during interrupt handling contexts, where kernel stability is paramount. The vulnerability is exacerbated by the specific sequence of function calls that leads from the hardware interrupt handler through the regmap subsystem back to the SPI layer, creating a path where message state corruption directly impacts kernel execution flow.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation or persistent denial of service conditions within embedded systems that rely heavily on SPI communication. Systems utilizing the mcp251xfd CAN driver, as evidenced by the call stack, are particularly vulnerable since this driver frequently uses regmap operations that trigger the problematic code path. The vulnerability affects kernel versions where function inlining is disabled, though it may manifest in various forms across different kernel configurations. According to CWE classification, this represents a CWE-476: Null Pointer Dereference, which is a fundamental programming error that can lead to system compromise. The ATT&CK framework categorizes this under T1499.004: Endpoint Denial of Service, as exploitation can result in complete system unavailability through kernel panic conditions.

Mitigation strategies for this vulnerability require immediate kernel updates to versions containing the patched spi_sync implementation, where the fix ensures that message->complete is explicitly set to NULL when transfer completion occurs. System administrators should prioritize patching affected kernels, particularly those running embedded systems or industrial control applications that depend on SPI communication protocols. Additional defensive measures include implementing proper message lifecycle management within device drivers and monitoring for abnormal interrupt handling patterns that might indicate exploitation attempts. The patch addresses the core issue by ensuring consistent state cleanup during message processing, preventing the scenario where completion callbacks reference freed or invalid memory locations. This fix aligns with kernel security best practices for resource management and prevents the propagation of corrupted state information through the kernel's SPI subsystem, thereby maintaining system integrity during concurrent SPI transfer operations.

Reservation

05/30/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!