CVE-2024-36930

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36930
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36930.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36930
Downstream
Related
Published
2024-05-30T15:29:22Z
Modified
2025-10-15T11:38:01.941643Z
Summary
spi: fix null pointer dereference within spi_sync
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: fix null pointer dereference within spi_sync

If spisync() is called with the non-empty queue and the same spimessage is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spifinalizecurrent_message().

With function inlining disabled, the call stack might look like this:

rawspinlockirqsave from completewithflags+0x18/0x58 completewithflags from spicomplete+0x8/0xc spicomplete from spifinalizecurrentmessage+0xec/0x184 spifinalizecurrentmessage from spitransferonemessage+0x2a8/0x474 spitransferonemessage from _spipumptransfermessage+0x104/0x230 _spipumptransfermessage from _spitransfermessagenoqueue+0x30/0xc4 _spitransfermessagenoqueue from _spisync+0x204/0x248 _spisync from spisync+0x24/0x3c spisync from mcp251xfdregmapcrcread+0x124/0x28c [mcp251xfd] mcp251xfdregmapcrcread [mcp251xfd] from regmaprawread+0xf8/0x154 _regmaprawread from _regmapbusread+0x44/0x70 _regmapbusread from _regmapread+0x60/0xd8 regmapread from regmapread+0x3c/0x5c regmapread from mcp251xfdalloccanerrskb+0x1c/0x54 [mcp251xfd] mcp251xfdalloccanerrskb [mcp251xfd] from mcp251xfdirq+0x194/0xe70 [mcp251xfd] mcp251xfdirq [mcp251xfd] from irqthreadfn+0x1c/0x78 irqthreadfn from irqthread+0x118/0x1f4 irqthread from kthread+0xd8/0xf4 kthread from retfromfork+0x14/0x28

Fix this by also setting message->complete to NULL when the transfer is complete.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ae7d2346dc89ae89a6e0aabe6037591a11e593c0
Fixed
e005d6754e3e440257006795b687c4ad8733b493
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ae7d2346dc89ae89a6e0aabe6037591a11e593c0
Fixed
a30659f1576d2c8e62e7426232bb18b885fd951a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ae7d2346dc89ae89a6e0aabe6037591a11e593c0
Fixed
2070d008cc08bff50a58f0f4d30f12d3ebf94c00
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ae7d2346dc89ae89a6e0aabe6037591a11e593c0
Fixed
4756fa529b2f12b7cb8f21fe229b0f6f47190829

Affected versions

v5.*

v5.19
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9-rc1
v6.9-rc2
v6.9-rc3

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-36930-01ddae23",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1036.0,
                "function_hash": "100032055341766700443972904600805968877"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829"
        },
        {
            "id": "CVE-2024-36930-2d363159",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 949.0,
                "function_hash": "305969733995262895975766788040660884841"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a"
        },
        {
            "id": "CVE-2024-36930-90a31e4c",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a"
        },
        {
            "id": "CVE-2024-36930-d35c8925",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 924.0,
                "function_hash": "335838746394457522992685902670857783514"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00"
        },
        {
            "id": "CVE-2024-36930-d4920e40",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493"
        },
        {
            "id": "CVE-2024-36930-dd51588d",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829"
        },
        {
            "id": "CVE-2024-36930-e6a43cc9",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 949.0,
                "function_hash": "305969733995262895975766788040660884841"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493"
        },
        {
            "id": "CVE-2024-36930-fa55b09f",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.91
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.31
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.10