In the Linux kernel, the following vulnerability has been resolved:
spi: fix null pointer dereference within spi_sync
If spisync() is called with the non-empty queue and the same spimessage is then reused, the complete callback for the message remains set while the context is cleared, leading to a null pointer dereference when the callback is invoked from spifinalizecurrent_message().
With function inlining disabled, the call stack might look like this:
rawspinlockirqsave from completewithflags+0x18/0x58 completewithflags from spicomplete+0x8/0xc spicomplete from spifinalizecurrentmessage+0xec/0x184 spifinalizecurrentmessage from spitransferonemessage+0x2a8/0x474 spitransferonemessage from _spipumptransfermessage+0x104/0x230 _spipumptransfermessage from _spitransfermessagenoqueue+0x30/0xc4 _spitransfermessagenoqueue from _spisync+0x204/0x248 _spisync from spisync+0x24/0x3c spisync from mcp251xfdregmapcrcread+0x124/0x28c [mcp251xfd] mcp251xfdregmapcrcread [mcp251xfd] from regmaprawread+0xf8/0x154 _regmaprawread from _regmapbusread+0x44/0x70 _regmapbusread from _regmapread+0x60/0xd8 regmapread from regmapread+0x3c/0x5c regmapread from mcp251xfdalloccanerrskb+0x1c/0x54 [mcp251xfd] mcp251xfdalloccanerrskb [mcp251xfd] from mcp251xfdirq+0x194/0xe70 [mcp251xfd] mcp251xfdirq [mcp251xfd] from irqthreadfn+0x1c/0x78 irqthreadfn from irqthread+0x118/0x1f4 irqthread from kthread+0xd8/0xf4 kthread from retfromfork+0x14/0x28
Fix this by also setting message->complete to NULL when the transfer is complete.
{ "vanir_signatures": [ { "id": "CVE-2024-36930-01ddae23", "signature_type": "Function", "target": { "file": "drivers/spi/spi.c", "function": "__spi_sync" }, "signature_version": "v1", "digest": { "length": 1036.0, "function_hash": "100032055341766700443972904600805968877" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829" }, { "id": "CVE-2024-36930-2d363159", "signature_type": "Function", "target": { "file": "drivers/spi/spi.c", "function": "__spi_sync" }, "signature_version": "v1", "digest": { "length": 949.0, "function_hash": "305969733995262895975766788040660884841" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a" }, { "id": "CVE-2024-36930-90a31e4c", "signature_type": "Line", "target": { "file": "drivers/spi/spi.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "121330940499508121665131291964195087713", "105379921678225640282944961985287464053", "103119504757705245264060045449939033644", "112387897490243791445124129316700853769" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a30659f1576d2c8e62e7426232bb18b885fd951a" }, { "id": "CVE-2024-36930-d35c8925", "signature_type": "Function", "target": { "file": "drivers/spi/spi.c", "function": "__spi_sync" }, "signature_version": "v1", "digest": { "length": 924.0, "function_hash": "335838746394457522992685902670857783514" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00" }, { "id": "CVE-2024-36930-d4920e40", "signature_type": "Line", "target": { "file": "drivers/spi/spi.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "121330940499508121665131291964195087713", "105379921678225640282944961985287464053", "103119504757705245264060045449939033644", "112387897490243791445124129316700853769" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493" }, { "id": "CVE-2024-36930-dd51588d", "signature_type": "Line", "target": { "file": "drivers/spi/spi.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "121330940499508121665131291964195087713", "105379921678225640282944961985287464053", "103119504757705245264060045449939033644", "112387897490243791445124129316700853769" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4756fa529b2f12b7cb8f21fe229b0f6f47190829" }, { "id": "CVE-2024-36930-e6a43cc9", "signature_type": "Function", "target": { "file": "drivers/spi/spi.c", "function": "__spi_sync" }, "signature_version": "v1", "digest": { "length": 949.0, "function_hash": "305969733995262895975766788040660884841" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e005d6754e3e440257006795b687c4ad8733b493" }, { "id": "CVE-2024-36930-fa55b09f", "signature_type": "Line", "target": { "file": "drivers/spi/spi.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "121330940499508121665131291964195087713", "105379921678225640282944961985287464053", "103119504757705245264060045449939033644", "112387897490243791445124129316700853769" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2070d008cc08bff50a58f0f4d30f12d3ebf94c00" } ] }