CVE-2024-36930

If spisync() is called with the non-empty queue and the same spimessage is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spifinalizecurrent_message().

With function inlining disabled, the call stack might look like this:

rawspinlockirqsave from completewithflags+0x18/0x58 completewithflags from spicomplete+0x8/0xc spicomplete from spifinalizecurrentmessage+0xec/0x184 spifinalizecurrentmessage from spitransferonemessage+0x2a8/0x474 spitransferonemessage from _spipumptransfermessage+0x104/0x230 _spipumptransfermessage from _spitransfermessagenoqueue+0x30/0xc4 _spitransfermessagenoqueue from _spisync+0x204/0x248 _spisync from spisync+0x24/0x3c spisync from mcp251xfdregmapcrcread+0x124/0x28c [mcp251xfd] mcp251xfdregmapcrcread [mcp251xfd] from regmaprawread+0xf8/0x154 _regmaprawread from _regmapbusread+0x44/0x70 _regmapbusread from _regmapread+0x60/0xd8 regmapread from regmapread+0x3c/0x5c regmapread from mcp251xfdalloccanerrskb+0x1c/0x54 [mcp251xfd] mcp251xfdalloccanerrskb [mcp251xfd] from mcp251xfdirq+0x194/0xe70 [mcp251xfd] mcp251xfdirq [mcp251xfd] from irqthreadfn+0x1c/0x78 irqthreadfn from irqthread+0x118/0x1f4 irqthread from kthread+0xd8/0xf4 kthread from retfromfork+0x14/0x28

Fix this by also setting message->complete to NULL when the transfer is complete.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae7d2346dc89ae89a6e0aabe6037591a11e593c0

Fixed

e005d6754e3e440257006795b687c4ad8733b493

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae7d2346dc89ae89a6e0aabe6037591a11e593c0

Fixed

a30659f1576d2c8e62e7426232bb18b885fd951a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae7d2346dc89ae89a6e0aabe6037591a11e593c0

Fixed

2070d008cc08bff50a58f0f4d30f12d3ebf94c00

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae7d2346dc89ae89a6e0aabe6037591a11e593c0

Fixed

4756fa529b2f12b7cb8f21fe229b0f6f47190829

Affected versions

v5.*

v5.19

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-36930-01ddae23",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1036.0,
                "function_hash": "100032055341766700443972904600805968877"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829"
        },
        {
            "id": "CVE-2024-36930-2d363159",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 949.0,
                "function_hash": "305969733995262895975766788040660884841"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a"
        },
        {
            "id": "CVE-2024-36930-90a31e4c",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a"
        },
        {
            "id": "CVE-2024-36930-d35c8925",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 924.0,
                "function_hash": "335838746394457522992685902670857783514"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00"
        },
        {
            "id": "CVE-2024-36930-d4920e40",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493"
        },
        {
            "id": "CVE-2024-36930-dd51588d",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829"
        },
        {
            "id": "CVE-2024-36930-e6a43cc9",
            "signature_type": "Function",
            "target": {
                "file": "drivers/spi/spi.c",
                "function": "__spi_sync"
            },
            "signature_version": "v1",
            "digest": {
                "length": 949.0,
                "function_hash": "305969733995262895975766788040660884841"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493"
        },
        {
            "id": "CVE-2024-36930-fa55b09f",
            "signature_type": "Line",
            "target": {
                "file": "drivers/spi/spi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "121330940499508121665131291964195087713",
                    "105379921678225640282944961985287464053",
                    "103119504757705245264060045449939033644",
                    "112387897490243791445124129316700853769"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.91

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.31

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.8.10