{ "id": "CVE-2024-26607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-02-29T12:15:47.920", "lastModified": "2025-01-09T15:27:20.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe()." }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/bridge: sii902x: soluciona el problema de carrera de sondeo. Rara vez se ha observado un fallo de desreferencia de puntero nulo en plataformas TI que utilizan el puente sii9022: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53 .292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/ 0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_f bdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216 ] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] very_probe+0x188/0x3 c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c /0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] dispositivo_initial_probe+0x14/0 x20 [ 53.373314] dispositivo_probe_bus+0xb0/0xb4 [ 53.377145] funci\u00f3n_trabajo_probe_diferida+0xcc/0x124 [ 53.381757] Process_one_work+0x1f0/0x518 [ 53.385770] Worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 El problema aqu\u00ed es el siguiente: - tids s, pero se pospone ya que sii902x todav\u00eda est\u00e1 desaparecido. - sii902x comienza a sondear e ingresa sii902x_init(). - sii902x llama a drm_bridge_add(). Ahora el puente sii902x est\u00e1 listo desde la perspectiva de DRM. - sii902x llama a sii902x_audio_codec_init() y platform_device_register_data() - El registro del dispositivo de plataforma de audio provoca el sondeo de los dispositivos diferidos. - sondas tidss, que eventualmente provocan que se llame a sii902x_bridge_get_edid(). - sii902x_bridge_get_edid() intenta usar i2c para leer el edit. Sin embargo, el controlador sii902x a\u00fan no ha configurado la parte i2c, lo que provoc\u00f3 el fallo. Solucione este problema moviendo drm_bridge_add() al final de sii902x_init(), que tambi\u00e9n est\u00e1 al final de sii902x_probe()." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.0, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-476" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.1.76", "matchCriteriaId": "5A8ED3BC-6D4B-4594-A264-526AF3EDC94F" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.15", "matchCriteriaId": "87C718CB-AE3D-4B07-B4D9-BFF64183C468" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.7.3", "matchCriteriaId": "58FD5308-148A-40D3-B36A-0CA6B434A8BF" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] } ] }