In the Linux kernel, the following vulnerability has been resolved:
firmware: qcom: uefisecapp: Fix memory related IO errors and crashes
It turns out that while the QSEECOM APP_SEND command has specific fields for request and response buffers, uefisecapp expects them both to be in a single memory region. Failure to adhere to this has (so far) resulted in either no response being written to the response buffer (causing an EIO to be emitted down the line), the SCM call to fail with EINVAL (i.e., directly from TZ/firmware), or the device to be hard-reset.
While this issue can be triggered deterministically, in the current form it seems to happen rather sporadically (which is why it has gone unnoticed during earlier testing). This is likely due to the two kzalloc() calls (for request and response) being directly after each other. Which means that those likely return consecutive regions most of the time, especially when not much else is going on in the system.
Fix this by allocating a single memory region for both request and response buffers, properly aligning both structs inside it. This unfortunately also means that the qcomscmqseecomappsend() interface needs to be restructured, as it should no longer map the DMA regions separately. Therefore, move the responsibility of DMA allocation (or mapping) to the caller.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_scm.h", "function": "qcom_scm_qseecom_app_send" }, "digest": { "length": 126.0, "function_hash": "202716659672438616047362812163469735063" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-2096c59d" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "36303647749420967085331422558578076326", "177091670451329022892088607308536823132", "77892961863970005919318135450497482694", "124688583172314181483384437976982962147", "14917146488123046528996852349382228422", "282779025935801293853897790116404047139", "298817403284097011212659536161792578263", "191899665544585705933931366829743410178", "81920114611875540787836228241719051068", "191388820336009057507105025001875897991", "322990685120021176268409727549911741320", "92962322504253419896044046353572970753", "49483465358831181214590202882213700264", "304768109883084862592522721566655155139", "326636009458657634686857759383056188176", "319667891478981505574162413283723216778", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "11503193532339907722779332111945027781", "173529116583407309734322278526070165098", "130028686194252510686951056439158616752", "252555585865096378823000727711450007162", "11729593735387406497090186035338863622", "239533130114129372145323054395672499665", "217069027500329145626751988682281804120", "130140774468788495425601534087220348129", "314478063918657651733090202969671326992", "156159729527572074432374864453421152536", "131645300270022749203874565854494119346", "106760782947734768009988490863415307608", "300400235537320988915236744444012953707", "211708564904370970325127418738558856013", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "68462081612212726848959211723039993043", "88734611356476335934540012513571551681", "59252900535982629306328834573517407560", "299806115494160645858497566034576181845", "161001887725291178334263156233300678825", "182665162717857239673810796938098997256", "105029016931987297022742900758961107326", "269822892132497248145748013201132247193", "215068859838295143879399775352342279468", "337505402405319171463343397675131653635", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "120807777220975968233579355817670274028", "109416201483074083868920460329370875704", "301988286311170251187406281571977112720", "228248504194575890401354193285802809984", "11729593735387406497090186035338863622", "248490066871766506728255318761763577484", "273977871033084600973144777104748403921", "102532380007510651466340180652481733736", "5636655513474203547258511247368707450", "19873312689067321611684002812150209438", "203720074013633043414293273815729587520", "55411336244831306435646073366135818760", "182675293230740624971042059226879410173", "291378774151480967612806418873801159381", "253908077946552998321713963470684596118", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "288471708152831771592342889561852666442", "67299411287572915412701114952690269596", "151687547310136740771350074754349979585", "105131779271952155633757886969187407170", "322990685120021176268409727549911741320", "92962322504253419896044046353572970753", "298008591619657113723728848935885893863", "238499106821540125426160161889455770090", "108403848936753691086833389771940589863", "28014839877736944704968592228651933780", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "11503193532339907722779332111945027781", "173529116583407309734322278526070165098", "130028686194252510686951056439158616752", "252555585865096378823000727711450007162", "11729593735387406497090186035338863622", "27413862859342834571272257722252565199", "4384923025397391753018109216240408953", "187132386045695011484794199431145724262", "219578922790249824321124654083067557758", "139753474517417374095214040429016969522", "202431217545075761641368443719053041995", "106760782947734768009988490863415307608", "5856210984626153134353219161510238422", "253908077946552998321713963470684596118", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "38595031551422760078686151684537047382", "195563724518347249833884871109673148893", "339332723586477444288335628994095498730", "48898553132971483819516368494524439087", "290826060805966198385218453782747736279", "167714143631358590921098191943870223736", "183272462563855908074709235960984384154", "120807777220975968233579355817670274028", "109416201483074083868920460329370875704", "301988286311170251187406281571977112720", "228248504194575890401354193285802809984", "11729593735387406497090186035338863622", "172732529427952020132101433275296139944", "258783948092398437109614368388823930799", "195901131053609761972963843769131250569", "292103084098239065056508479408495743003", "6665864556412144019545844931801748982", "65772859575131178986918106213263825847", "105786950654494339206399367888795062564", "182675293230740624971042059226879410173", "30971931755290667678047140496204833175", "116703213848338812559249844753685752570", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-296a36bc" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_query_variable_info" }, "digest": { "length": 1209.0, "function_hash": "47393499172736809669407278474639031468" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-2ffde850" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_scm.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "119721719172643992761467436276949792448", "80806423773294471518661923255517939960", "330913857715044908381042527636351643068", "227258350459887753449934082938826270688", "143170711042263585744354986380898508548", "239079260631987526706028959976739051228", "272506403984449082344376093161016769085", "301397174446584848638034628109016869519", "41665367218282796959463891722449308229", "42187012717552000753967279308056754975", "258806924489169387786626938959505888960" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-32d73669" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_scm.c", "function": "qcom_scm_qseecom_app_send" }, "digest": { "length": 1301.0, "function_hash": "155345531386069151418613973689590722797" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-4ce4d66c" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_scm.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "119721719172643992761467436276949792448", "80806423773294471518661923255517939960", "330913857715044908381042527636351643068", "227258350459887753449934082938826270688", "143170711042263585744354986380898508548", "239079260631987526706028959976739051228", "272506403984449082344376093161016769085", "301397174446584848638034628109016869519", "41665367218282796959463891722449308229", "42187012717552000753967279308056754975", "258806924489169387786626938959505888960" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-54858d08" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_set_variable" }, "digest": { "length": 2024.0, "function_hash": "301491937829901927814934180691081232885" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-56d77ab0" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_query_variable_info" }, "digest": { "length": 1209.0, "function_hash": "47393499172736809669407278474639031468" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-647f86c5" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_scm.c", "function": "qcom_scm_qseecom_app_send" }, "digest": { "length": 1301.0, "function_hash": "155345531386069151418613973689590722797" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-6ae71f5f" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_scm.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326793586976421239002522956476648695823", "3476322389433159124551069501407734868", "122651695525255612934707886420387823558", "9522408284328078995222190044787145321", "81547936640436829625497131461539735145", "159407199240138202411315477136739175630", "211058837057748768591144484548005365183", "60722964190821758585497860333086133351", "14794602084343944780829219507663742023", "287867853633858049315015567543341400458", "165280118196098773368214967273788019678", "108587508609522317325231047680845376712", "308847410088001269894664713155161430120", "50843240872487960128601948499301408559", "243676758676430663901948786536678688921", "45032602809658928031325863433673106974", "309634991723848512998882918511625243205", "253937596203578332101596976759613355663", "258580087245258597565744017453944549505", "189259899380653677088600199631843065045", "127841614699879831277061911542076964118", "15258717185371570101543863121440595820", "221538512426401827028229056927399951064", "25877282328064173475227704677320292467", "124412831377138511572983321596448066929", "94009515613647488332953190657503846808", "247999764926578199408784402637838805385", "179895082040145461135117620381541544515", "63606194465463172253064008031381432899", "139464662249294631445155312901393270212", "49125398822383275680894625892754182155", "295531445394317227240142194891185702084", "242829384735611822134341857890314028880", "231899509011889160293494686879912204575" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-736db91f" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_get_variable" }, "digest": { "length": 2495.0, "function_hash": "161324252056861887847292388333598776177" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-77fc82d8" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_qseecom.h", "function": "qcom_qseecom_app_send" }, "digest": { "length": 180.0, "function_hash": "310063333454346286038338009528812990230" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-82940b40" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_qseecom.h", "function": "qcom_qseecom_app_send" }, "digest": { "length": 180.0, "function_hash": "310063333454346286038338009528812990230" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-a7b00652" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_scm.h", "function": "qcom_scm_qseecom_app_send" }, "digest": { "length": 126.0, "function_hash": "202716659672438616047362812163469735063" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-b0a828c5" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_set_variable" }, "digest": { "length": 2024.0, "function_hash": "301491937829901927814934180691081232885" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-c16c1217" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_scm.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "326793586976421239002522956476648695823", "3476322389433159124551069501407734868", "122651695525255612934707886420387823558", "9522408284328078995222190044787145321", "81547936640436829625497131461539735145", "159407199240138202411315477136739175630", "211058837057748768591144484548005365183", "60722964190821758585497860333086133351", "14794602084343944780829219507663742023", "287867853633858049315015567543341400458", "165280118196098773368214967273788019678", "108587508609522317325231047680845376712", "308847410088001269894664713155161430120", "50843240872487960128601948499301408559", "243676758676430663901948786536678688921", "45032602809658928031325863433673106974", "309634991723848512998882918511625243205", "253937596203578332101596976759613355663", "258580087245258597565744017453944549505", "189259899380653677088600199631843065045", "127841614699879831277061911542076964118", "15258717185371570101543863121440595820", "221538512426401827028229056927399951064", "25877282328064173475227704677320292467", "124412831377138511572983321596448066929", "94009515613647488332953190657503846808", "247999764926578199408784402637838805385", "179895082040145461135117620381541544515", "63606194465463172253064008031381432899", "139464662249294631445155312901393270212", "49125398822383275680894625892754182155", "295531445394317227240142194891185702084", "242829384735611822134341857890314028880", "231899509011889160293494686879912204575" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-d1642a4a" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_get_next_variable" }, "digest": { "length": 2596.0, "function_hash": "148915872931884691775723759306196825553" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-d5459047" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_get_variable" }, "digest": { "length": 2495.0, "function_hash": "161324252056861887847292388333598776177" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-e422559f" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_qseecom.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "226734500643527656107028409873400096050", "294637864311368034108288966290080003769", "63541556028718314146064367748849255985", "168342633471490483128472335399805016215", "154797796743117754762579360150295378314", "3777675127232716960712276549405423807", "146905361198961058382283409152058348364" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-eb8bc974" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd22b34fb53cb04b13b2f5eee5c9200bb091fc88", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c", "function": "qsee_uefi_get_next_variable" }, "digest": { "length": 2596.0, "function_hash": "148915872931884691775723759306196825553" }, "deprecated": false, "signature_type": "Function", "id": "CVE-2024-35994-f0640f7e" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "include/linux/firmware/qcom/qcom_qseecom.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "226734500643527656107028409873400096050", "294637864311368034108288966290080003769", "63541556028718314146064367748849255985", "168342633471490483128472335399805016215", "154797796743117754762579360150295378314", "3777675127232716960712276549405423807", "146905361198961058382283409152058348364" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-fc5af4b8" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ed09f81eeaa8f9265e1787282cb283f10285c259", "signature_version": "v1", "target": { "file": "drivers/firmware/qcom/qcom_qseecom_uefisecapp.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "36303647749420967085331422558578076326", "177091670451329022892088607308536823132", "77892961863970005919318135450497482694", "124688583172314181483384437976982962147", "14917146488123046528996852349382228422", "282779025935801293853897790116404047139", "298817403284097011212659536161792578263", "191899665544585705933931366829743410178", "81920114611875540787836228241719051068", "191388820336009057507105025001875897991", "322990685120021176268409727549911741320", "92962322504253419896044046353572970753", "49483465358831181214590202882213700264", "304768109883084862592522721566655155139", "326636009458657634686857759383056188176", "319667891478981505574162413283723216778", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "11503193532339907722779332111945027781", "173529116583407309734322278526070165098", "130028686194252510686951056439158616752", "252555585865096378823000727711450007162", "11729593735387406497090186035338863622", "239533130114129372145323054395672499665", "217069027500329145626751988682281804120", "130140774468788495425601534087220348129", "314478063918657651733090202969671326992", "156159729527572074432374864453421152536", "131645300270022749203874565854494119346", "106760782947734768009988490863415307608", "300400235537320988915236744444012953707", "211708564904370970325127418738558856013", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "68462081612212726848959211723039993043", "88734611356476335934540012513571551681", "59252900535982629306328834573517407560", "299806115494160645858497566034576181845", "161001887725291178334263156233300678825", "182665162717857239673810796938098997256", "105029016931987297022742900758961107326", "269822892132497248145748013201132247193", "215068859838295143879399775352342279468", "337505402405319171463343397675131653635", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "120807777220975968233579355817670274028", "109416201483074083868920460329370875704", "301988286311170251187406281571977112720", "228248504194575890401354193285802809984", "11729593735387406497090186035338863622", "248490066871766506728255318761763577484", "273977871033084600973144777104748403921", "102532380007510651466340180652481733736", "5636655513474203547258511247368707450", "19873312689067321611684002812150209438", "203720074013633043414293273815729587520", "55411336244831306435646073366135818760", "182675293230740624971042059226879410173", "291378774151480967612806418873801159381", "253908077946552998321713963470684596118", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "288471708152831771592342889561852666442", "67299411287572915412701114952690269596", "151687547310136740771350074754349979585", "105131779271952155633757886969187407170", "322990685120021176268409727549911741320", "92962322504253419896044046353572970753", "298008591619657113723728848935885893863", "238499106821540125426160161889455770090", "108403848936753691086833389771940589863", "28014839877736944704968592228651933780", "297871164183938750259950512014564429384", "237240656142835405726279735714556629753", "183272462563855908074709235960984384154", "11503193532339907722779332111945027781", "173529116583407309734322278526070165098", "130028686194252510686951056439158616752", "252555585865096378823000727711450007162", "11729593735387406497090186035338863622", "27413862859342834571272257722252565199", "4384923025397391753018109216240408953", "187132386045695011484794199431145724262", "219578922790249824321124654083067557758", "139753474517417374095214040429016969522", "202431217545075761641368443719053041995", "106760782947734768009988490863415307608", "5856210984626153134353219161510238422", "253908077946552998321713963470684596118", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977", "38595031551422760078686151684537047382", "195563724518347249833884871109673148893", "339332723586477444288335628994095498730", "48898553132971483819516368494524439087", "290826060805966198385218453782747736279", "167714143631358590921098191943870223736", "183272462563855908074709235960984384154", "120807777220975968233579355817670274028", "109416201483074083868920460329370875704", "301988286311170251187406281571977112720", "228248504194575890401354193285802809984", "11729593735387406497090186035338863622", "172732529427952020132101433275296139944", "258783948092398437109614368388823930799", "195901131053609761972963843769131250569", "292103084098239065056508479408495743003", "6665864556412144019545844931801748982", "65772859575131178986918106213263825847", "105786950654494339206399367888795062564", "182675293230740624971042059226879410173", "30971931755290667678047140496204833175", "116703213848338812559249844753685752570", "40298826875688239708937972731704466880", "134445458877930764354880796067812296015", "49633313338492849746270832042961827897", "6692513430261782586092463668045862977" ] }, "deprecated": false, "signature_type": "Line", "id": "CVE-2024-35994-fe135826" } ]