Linux Kernel up to 6.10.2 mtk-cmdq devm_mbox_controller_register privilege escalation

Summaryinfo

A vulnerability classified as problematic was found in Linux Kernel up to 6.10.2. This impacts the function devm_mbox_controller_register of the component mtk-cmdq. The manipulation results in an unknown weakness. This vulnerability is reported as CVE-2024-42319. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as problematic has been found in Linux Kernel up to 6.10.2. Affected is the function devm_mbox_controller_register of the component mtk-cmdq. The impact remains unknown. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() When mtk-cmdq unbinds, a WARN_ON message with condition pm_runtime_get_sync() < 0 occurs. According to the call tracei below: cmdq_mbox_shutdown mbox_free_channel mbox_controller_unregister __devm_mbox_controller_unregister ... The root cause can be deduced to be calling pm_runtime_get_sync() after calling pm_runtime_disable() as observed below: 1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() to bind the cmdq device to the mbox_controller, so devm_mbox_controller_unregister() will automatically unregister the device bound to the mailbox controller when the device-managed resource is removed. That means devm_mbox_controller_unregister() and cmdq_mbox_shoutdown() will be called after cmdq_remove(). 2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after devm_mbox_controller_register(), so that devm_pm_runtime_disable() will be called after cmdq_remove(), but before devm_mbox_controller_unregister(). To fix this problem, cmdq_probe() needs to move devm_mbox_controller_register() after devm_pm_runtime_enable() to make devm_pm_runtime_disable() be called after devm_mbox_controller_unregister().

The advisory is shared for download at git.kernel.org. This vulnerability is traded as CVE-2024-42319 since 07/30/2024. The exploitability is told to be difficult. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 207884 (openSUSE 15 Security Update : kernel (SUSE-SU-2024:3483-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.10.3 eliminates this vulnerability. Applying the patch 11fa625b45fa/a8bd68e4329f is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (207884) and CERT Bund (WID-SEC-2024-1875). Once again VulDB remains the best source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• IBM InfoSphere Guardium
• Oracle Linux
• IBM Security Guardium
• RESF Rocky Linux
• Broadcom Brocade SANnav
• Open Source Linux Kernel
• IBM QRadar SIEM
• IBM Spectrum Protect Plus
• SolarWinds Security Event Manager
• IBM DataPower Gateway
• Dell NetWorker

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.10.0
• 6.10.1
• 6.10.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion