CVE-2024-26909
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2024-12-19 08:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free A recent DRM series purporting to simplify support for "transparent bridges" and handling of probe deferrals ironically exposed a use-after-free issue on pmic_glink_altmode probe deferral. This has manifested itself as the display subsystem occasionally failing to initialise and NULL-pointer dereferences during boot of machines like the Lenovo ThinkPad X13s. Specifically, the dp-hpd bridge is currently registered before all resources have been acquired which means that it can also be deregistered on probe deferrals. In the meantime there is a race window where the new aux bridge driver (or PHY driver previously) may have looked up the dp-hpd bridge and stored a (non-reference-counted) pointer to the bridge which is about to be deallocated. When the display controller is later initialised, this triggers a use-after-free when attaching the bridges: dp -> aux -> dp-hpd (freed) which may, for example, result in the freed bridge failing to attach: [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16 or a NULL-pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ... Call trace: drm_bridge_attach+0x70/0x1a8 [drm] drm_aux_bridge_attach+0x24/0x38 [aux_bridge] drm_bridge_attach+0x80/0x1a8 [drm] dp_bridge_init+0xa8/0x15c [msm] msm_dp_modeset_init+0x28/0xc4 [msm] The DRM bridge implementation is clearly fragile and implicitly built on the assumption that bridges may never go away. In this case, the fix is to move the bridge registration in the pmic_glink_altmode driver to after all resources have been looked up. Incidentally, with the new dp-hpd bridge implementation, which registers child devices, this is also a requirement due to a long-standing issue in driver core that can otherwise lead to a probe deferral loop (see commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")). [DB: slightly fixed commit message by adding the word 'commit']
Impacted products
Vendor Product Version
Linux Linux Version: 6.3
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.481Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26909",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:23:05.370313Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:23:14.445Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/pmic_glink_altmode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342",
              "status": "affected",
              "version": "080b4e24852b1d5b66929f69344e6c3eeb963941",
              "versionType": "git"
            },
            {
              "lessThan": "ef45aa2841e15b649e5417fe3d4de395fe462781",
              "status": "affected",
              "version": "080b4e24852b1d5b66929f69344e6c3eeb963941",
              "versionType": "git"
            },
            {
              "lessThan": "b979f2d50a099f3402418d7ff5f26c3952fb08bb",
              "status": "affected",
              "version": "080b4e24852b1d5b66929f69344e6c3eeb963941",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/pmic_glink_altmode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink_altmode: fix drm bridge use-after-free\n\nA recent DRM series purporting to simplify support for \"transparent\nbridges\" and handling of probe deferrals ironically exposed a\nuse-after-free issue on pmic_glink_altmode probe deferral.\n\nThis has manifested itself as the display subsystem occasionally failing\nto initialise and NULL-pointer dereferences during boot of machines like\nthe Lenovo ThinkPad X13s.\n\nSpecifically, the dp-hpd bridge is currently registered before all\nresources have been acquired which means that it can also be\nderegistered on probe deferrals.\n\nIn the meantime there is a race window where the new aux bridge driver\n(or PHY driver previously) may have looked up the dp-hpd bridge and\nstored a (non-reference-counted) pointer to the bridge which is about to\nbe deallocated.\n\nWhen the display controller is later initialised, this triggers a\nuse-after-free when attaching the bridges:\n\n\tdp -\u003e aux -\u003e dp-hpd (freed)\n\nwhich may, for example, result in the freed bridge failing to attach:\n\n\t[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16\n\nor a NULL-pointer dereference:\n\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\t...\n\tCall trace:\n\t  drm_bridge_attach+0x70/0x1a8 [drm]\n\t  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]\n\t  drm_bridge_attach+0x80/0x1a8 [drm]\n\t  dp_bridge_init+0xa8/0x15c [msm]\n\t  msm_dp_modeset_init+0x28/0xc4 [msm]\n\nThe DRM bridge implementation is clearly fragile and implicitly built on\nthe assumption that bridges may never go away. In this case, the fix is\nto move the bridge registration in the pmic_glink_altmode driver to\nafter all resources have been looked up.\n\nIncidentally, with the new dp-hpd bridge implementation, which registers\nchild devices, this is also a requirement due to a long-standing issue\nin driver core that can otherwise lead to a probe deferral loop (see\ncommit fbc35b45f9f6 (\"Add documentation on meaning of -EPROBE_DEFER\")).\n\n[DB: slightly fixed commit message by adding the word \u0027commit\u0027]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:49:55.311Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781"
        },
        {
          "url": "https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb"
        }
      ],
      "title": "soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26909",
    "datePublished": "2024-04-17T10:27:55.462Z",
    "dateReserved": "2024-02-19T14:20:24.188Z",
    "dateUpdated": "2024-12-19T08:49:55.311Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26909\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:11.360\",\"lastModified\":\"2024-11-21T09:03:21.497\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoc: qcom: pmic_glink_altmode: fix drm bridge use-after-free\\n\\nA recent DRM series purporting to simplify support for \\\"transparent\\nbridges\\\" and handling of probe deferrals ironically exposed a\\nuse-after-free issue on pmic_glink_altmode probe deferral.\\n\\nThis has manifested itself as the display subsystem occasionally failing\\nto initialise and NULL-pointer dereferences during boot of machines like\\nthe Lenovo ThinkPad X13s.\\n\\nSpecifically, the dp-hpd bridge is currently registered before all\\nresources have been acquired which means that it can also be\\nderegistered on probe deferrals.\\n\\nIn the meantime there is a race window where the new aux bridge driver\\n(or PHY driver previously) may have looked up the dp-hpd bridge and\\nstored a (non-reference-counted) pointer to the bridge which is about to\\nbe deallocated.\\n\\nWhen the display controller is later initialised, this triggers a\\nuse-after-free when attaching the bridges:\\n\\n\\tdp -\u003e aux -\u003e dp-hpd (freed)\\n\\nwhich may, for example, result in the freed bridge failing to attach:\\n\\n\\t[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16\\n\\nor a NULL-pointer dereference:\\n\\n\\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n\\t...\\n\\tCall trace:\\n\\t  drm_bridge_attach+0x70/0x1a8 [drm]\\n\\t  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]\\n\\t  drm_bridge_attach+0x80/0x1a8 [drm]\\n\\t  dp_bridge_init+0xa8/0x15c [msm]\\n\\t  msm_dp_modeset_init+0x28/0xc4 [msm]\\n\\nThe DRM bridge implementation is clearly fragile and implicitly built on\\nthe assumption that bridges may never go away. In this case, the fix is\\nto move the bridge registration in the pmic_glink_altmode driver to\\nafter all resources have been looked up.\\n\\nIncidentally, with the new dp-hpd bridge implementation, which registers\\nchild devices, this is also a requirement due to a long-standing issue\\nin driver core that can otherwise lead to a probe deferral loop (see\\ncommit fbc35b45f9f6 (\\\"Add documentation on meaning of -EPROBE_DEFER\\\")).\\n\\n[DB: slightly fixed commit message by adding the word \u0027commit\u0027]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free Una serie reciente de DRM que pretende simplificar el soporte para \\\"puentes transparentes\\\" y el manejo de aplazamientos de sonda expuso ir\u00f3nicamente un uso posterior -Problema gratuito en el aplazamiento de la sonda pmic_glink_altmode. Esto se ha manifestado como que el subsistema de visualizaci\u00f3n ocasionalmente falla al inicializarse y se eliminan las referencias del puntero NULL durante el arranque de m\u00e1quinas como la Lenovo ThinkPad X13s. Espec\u00edficamente, el puente dp-hpd actualmente est\u00e1 registrado antes de que se hayan adquirido todos los recursos, lo que significa que tambi\u00e9n se puede cancelar su registro en caso de aplazamientos de sonda. Mientras tanto, hay una ventana de carrera donde el nuevo controlador del puente auxiliar (o el controlador PHY anteriormente) puede haber buscado el puente dp-hpd y almacenado un puntero (sin recuento de referencias) al puente que est\u00e1 a punto de ser desasignado. Cuando el controlador de pantalla se inicializa posteriormente, esto activa un use-after-free al conectar los puentes: dp -\u0026gt; aux -\u0026gt; dp-hpd (liberado) que puede, por ejemplo, provocar que el puente liberado no se pueda conectar: [drm :drm_bridge_attach [drm]] *ERROR* no se pudo adjuntar el puente /soc@0/phy@88eb000 al codificador TMDS-31: -16 o una desreferencia de puntero NULL: no se puede manejar la desreferencia de puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000000... Seguimiento de llamadas: drm_bridge_attach+0x70/0x1a8 [drm] drm_aux_bridge_attach+0x24/0x38 [aux_bridge] drm_bridge_attach+0x80/0x1a8 [drm] dp_bridge_init+0xa8/0x15c [msm] msm_dp_modeset_init+0x28/0xc4 [msm] El puente DRM la implementaci\u00f3n es claramente fr\u00e1gil e impl\u00edcitamente construido sobre el supuesto de que es posible que los puentes nunca desaparezcan. En este caso, la soluci\u00f3n es mover el registro del puente en el controlador pmic_glink_altmode despu\u00e9s de que se hayan buscado todos los recursos. Por cierto, con la nueva implementaci\u00f3n del puente dp-hpd, que registra dispositivos secundarios, esto tambi\u00e9n es un requisito debido a un problema de larga data en el n\u00facleo del controlador que, de lo contrario, puede provocar un bucle de aplazamiento de la sonda (consulte el compromiso fbc35b45f9f6 (\\\"Agregar documentaci\u00f3n sobre el significado de -EPROBE_DEFER\\\")). [DB: mensaje de confirmaci\u00f3n ligeramente corregido agregando la palabra \u0027compromiso\u0027]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.3\",\"versionEndExcluding\":\"6.6.23\",\"matchCriteriaId\":\"FF3B2DAF-D3AB-46CC-A8F5-C374664586C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.11\",\"matchCriteriaId\":\"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.