CVE-2024-46693
Severity:
MEDIUM
Type:
CWE-476
NULL Pointer Dereference
Publication date:
13/09/2024
Last modified:
13/09/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
soc: qcom: pmic_glink: Fix race during initialization<br />
<br />
As pointed out by Stephen Boyd it is possible that during initialization<br />
of the pmic_glink child drivers, the protection-domain notifiers fires,<br />
and the associated work is scheduled, before the client registration<br />
returns and as a result the local "client" pointer has been initialized.<br />
<br />
The outcome of this is a NULL pointer dereference as the "client"<br />
pointer is blindly dereferenced.<br />
<br />
Timeline provided by Stephen:<br />
CPU0 CPU1<br />
---- ----<br />
ucsi->client = NULL;<br />
devm_pmic_glink_register_client()<br />
client->pdr_notify(client->priv, pg->client_state)<br />
pmic_glink_ucsi_pdr_notify()<br />
schedule_work(&ucsi->register_work)<br />
<br />
pmic_glink_ucsi_register()<br />
ucsi_register()<br />
pmic_glink_ucsi_read_version()<br />
pmic_glink_ucsi_read()<br />
pmic_glink_ucsi_read()<br />
pmic_glink_send(ucsi->client)<br />
<br />
ucsi->client = client // Too late!<br />
<br />
This code is identical across the altmode, battery manager and usci<br />
child drivers.<br />
<br />
Resolve this by splitting the allocation of the "client" object and the<br />
registration thereof into two operations.<br />
<br />
This only happens if the protection domain registry is populated at the<br />
time of registration, which by the introduction of commit &#39;1ebcde047c54<br />
("soc: qcom: add pd-mapper implementation")&#39; became much more likely.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (including) | 6.6.49 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page