CVE-2024-47666 in Linux
Summary
by MITRE • 10/09/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm80xx: Set phy->enable_completion only when we wait for it
pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2024-47666 represents a critical race condition and use-after-free scenario within the Linux kernel's SCSI subsystem, specifically affecting the pm80xx driver implementation. This flaw manifests in the pm8001_phy_control() function which manages phy control operations for the pm80xx SCSI controller. The vulnerability stems from improper handling of asynchronous completion mechanisms where the function initializes a stack-based completion pointer and passes it to the hardware communication layer before initiating phy reset operations. The driver's design flaw creates a temporal window where the completion pointer becomes invalid before the hardware response can be processed, leading to a kernel panic when the late-arriving response attempts to invoke complete() on a dangling pointer.
The technical execution of this vulnerability occurs through a classic race condition pattern where the driver's timing assumptions fail to account for variable hardware response latencies. When pm8001_phy_control() initiates PHY_LINK_RESET or PHY_HARD_RESET operations, it immediately populates the enable_completion field with a stack address and waits for 300 milliseconds before returning control to the calling function. During this waiting period, if the hardware responds with a phy control response that arrives after the 300ms window has elapsed, the stack memory containing the completion pointer may have been reused or invalidated. The subsequent invocation of complete() on this freed memory location results in kernel memory corruption and system crash. This pattern aligns with CWE-416 Use After Free and CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization, both of which are classified under the broader category of memory safety vulnerabilities in kernel space operations.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable denial of service attacks against systems running affected Linux kernels. Systems utilizing pm80xx SCSI controllers, which are commonly found in enterprise storage environments and data center infrastructure, become vulnerable to crashes that can disrupt critical storage operations and potentially lead to data loss. The vulnerability affects kernel versions where the pm80xx driver implementation lacks proper synchronization mechanisms to ensure that completion pointers remain valid throughout the entire lifecycle of asynchronous hardware operations. Attackers could potentially exploit this by triggering multiple phy control operations in rapid succession, increasing the probability of hitting the race condition window. The timing aspect of this vulnerability makes it particularly challenging to detect and reproduce, as it depends on specific hardware response characteristics and system load conditions that may not manifest consistently in testing environments.
Mitigation strategies for CVE-2024-47666 require both immediate kernel updates and defensive programming practices. The primary fix involves modifying the pm8001_phy_control() function to ensure that enable_completion pointers remain valid for the duration of the expected hardware response window, typically through heap allocation or by using kernel-provided completion mechanisms that guarantee memory persistence. System administrators should prioritize applying the patched kernel versions that contain the corrected driver implementation, which addresses the improper memory management by ensuring that completion structures are allocated in persistent memory regions rather than stack-based locations. Additionally, implementing proper synchronization primitives such as mutexes or spinlocks around the phy control operations can prevent concurrent access patterns that might exacerbate the race condition. Organizations should also consider monitoring for kernel crashes and implementing automated alerting systems to detect potential exploitation attempts. The vulnerability highlights the importance of adhering to kernel security best practices as outlined in the Linux kernel security documentation and aligns with ATT&CK technique T1499.004 for Network Denial of Service, where the system availability is compromised through kernel memory corruption. Regular kernel security audits and adherence to secure coding practices for kernel drivers remain essential for preventing similar race condition vulnerabilities in storage subsystems.