CVE-2024-26807

In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller *host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61	Patch
https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc	Patch
https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03	Patch
https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61	Patch
https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc	Patch
https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:4.19.283:::::::*
	cpe:2.3:o:linux:linux_kernel:5.4.243:::::::*
	cpe:2.3:o:linux:linux_kernel:5.10.180:::::::*
	cpe:2.3:o:linux:linux_kernel:5.15.111:::::::*
	cpe:2.3:o:linux:linux_kernel:6.1.28:::::::*
	cpe:2.3:o:linux:linux_kernel:6.2.15:::::::*
	cpe:2.3:o:linux:linux_kernel:6.3.2:::::::*
	cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc6::::::

History

27 Mar 2025, 21:35

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:5.15.111:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.8:rc6:::::: cpe:2.3:o:linux:linux_kernel:5.4.243:::::::* cpe:2.3:o:linux:linux_kernel:6.3.2:::::::* cpe:2.3:o:linux:linux_kernel:6.8:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc5:::::: cpe:2.3:o:linux:linux_kernel:5.10.180:::::::* cpe:2.3:o:linux:linux_kernel:6.1.28:::::::* cpe:2.3:o:linux:linux_kernel:6.8:rc4:::::: cpe:2.3:o:linux:linux_kernel:4.19.283:::::::* cpe:2.3:o:linux:linux_kernel:6.2.15:::::::* cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::
References	~~() https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61 -~~	() https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61 - Patch
References	~~() https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc -~~	() https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc - Patch
References	~~() https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 -~~	() https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 - Patch
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-787

21 Nov 2024, 09:03

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61 -~~	() https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61 -
References	~~() https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc -~~	() https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc -
References	~~() https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 -~~	() https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 -

20 Jun 2024, 10:15

Type	Values Removed	Values Added
Summary	(en) In the Linux kernel, the following vulnerability has been resolved: spi: cadence-qspi: fix pointer reference in runtime PM hooks dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI controller. Neither embed the other; this lead to memory corruption. On a given platform (Mobileye EyeQ5) the memory corruption is hidden inside cqspi->f_pdata. Also, this uninitialised memory is used as a mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().	(en) In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st cqspi = dev_get_drvdata(dev); struct spi_controller host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

04 Apr 2024, 12:48

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: cadence-qspi: corrige la referencia del puntero en los ganchos PM en tiempo de ejecución dev_get_drvdata() se utiliza para adquirir el puntero a cqspi y el controlador SPI. Ninguno de los dos integra al otro; Esto conduce a la corrupción de la memoria. En una plataforma determinada (Mobileye EyeQ5), la corrupción de la memoria está oculta dentro de cqspi->f_pdata. Además, esta memoria no inicializada se utiliza como mutex (ctlr->bus_lock_mutex) por spi_controller_suspend().

04 Apr 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-04 09:15

Updated : 2025-03-27 21:35

NVD link : CVE-2024-26807

Mitre link : CVE-2024-26807

CVE.ORG link : CVE-2024-26807

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-787

Out-of-bounds Write

5.5 /10