| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122430-CVE-2024-53157-6c40@gregkh> Date: Tue, 24 Dec 2024 12:29:37 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-53157: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware Description =========== In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware Fix a kernel crash with the below call trace when the SCPI firmware returns OPP count of zero. dvfs_info.opp_count may be zero on some platforms during the reboot test, and the kernel will crash after dereferencing the pointer to kcalloc(info->count, sizeof(*opp), GFP_KERNEL). | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 | Mem abort info: | ESR = 0x96000004 | Exception class = DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | Data abort info: | ISV = 0, ISS = 0x00000004 | CM = 0, WnR = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c | [0000000000000028] pgd=0000000000000000 | Internal error: Oops: 96000004 [#1] SMP | scpi-hwmon: probe of PHYT000D:00 failed with error -110 | Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c) | CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1 | Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS | pstate: 60000005 (nZCv daif -PAN -UAO) | pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi] | lr : clk_register+0x438/0x720 | Call trace: | scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi] | devm_clk_hw_register+0x50/0xa0 | scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi] | scpi_clocks_probe+0x528/0x70c [clk_scpi] | platform_drv_probe+0x58/0xa8 | really_probe+0x260/0x3d0 | driver_probe_device+0x12c/0x148 | device_driver_attach+0x74/0x98 | __driver_attach+0xb4/0xe8 | bus_for_each_dev+0x88/0xe0 | driver_attach+0x30/0x40 | bus_add_driver+0x178/0x2b0 | driver_register+0x64/0x118 | __platform_driver_register+0x54/0x60 | scpi_clocks_driver_init+0x24/0x1000 [clk_scpi] | do_one_initcall+0x54/0x220 | do_init_module+0x54/0x1c8 | load_module+0x14a4/0x1668 | __se_sys_finit_module+0xf8/0x110 | __arm64_sys_finit_module+0x24/0x30 | el0_svc_common+0x78/0x170 | el0_svc_handler+0x38/0x78 | el0_svc+0x8/0x340 | Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820) | ---[ end trace 06feb22469d89fa8 ]--- | Kernel panic - not syncing: Fatal exception | SMP: stopping secondary CPUs | Kernel Offset: disabled | CPU features: 0x10,a0002008 | Memory Limit: none The Linux kernel CVE team has assigned CVE-2024-53157 to this issue. Affected and fixed versions =========================== Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 4.19.325 with commit 12e2c520a0a4202575e4a45ea41f06a8e9aa3417 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.4.287 with commit 8be4e51f3ecfb0915e3510b600c4cce0dc68a383 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.10.231 with commit 380c0e1d96f3b522f3170c18ee5e0f1a28fec5d6 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 5.15.174 with commit 2a5b8de6fcb944f9af0c5fcb30bb0c039705e051 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.1.120 with commit 06258e57fee253f4046d3a6a86d7fde09f596eac Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.6.64 with commit 025067eeb945aa17c7dd483a63960125b7efb577 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.11.11 with commit dfc9c2aa7f04f7db7e7225a5e118a24bf1c3b325 Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.12.2 with commit 9beaff47bcea5eec7d4ead98f5043057161fd71a Issue introduced in 4.4 with commit 8cb7cf56c9fe5412de238465b27ef35b4d2801aa and fixed in 6.13-rc1 with commit 109aa654f85c5141e813b2cd1bd36d90be678407 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-53157 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/firmware/arm_scpi.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/12e2c520a0a4202575e4a45ea41f06a8e9aa3417 https://git.kernel.org/stable/c/8be4e51f3ecfb0915e3510b600c4cce0dc68a383 https://git.kernel.org/stable/c/380c0e1d96f3b522f3170c18ee5e0f1a28fec5d6 https://git.kernel.org/stable/c/2a5b8de6fcb944f9af0c5fcb30bb0c039705e051 https://git.kernel.org/stable/c/06258e57fee253f4046d3a6a86d7fde09f596eac https://git.kernel.org/stable/c/025067eeb945aa17c7dd483a63960125b7efb577 https://git.kernel.org/stable/c/dfc9c2aa7f04f7db7e7225a5e118a24bf1c3b325 https://git.kernel.org/stable/c/9beaff47bcea5eec7d4ead98f5043057161fd71a https://git.kernel.org/stable/c/109aa654f85c5141e813b2cd1bd36d90be678407
Powered by blists - more mailing lists