CVE-2024-56700: Resolved Linux Kernel Vulnerability in media: wl128x: Fix atomicity violation in fmc_send_cmd()

A recent vulnerability (CVE-2024-56700) has been discovered and resolved in the Linux kernel affecting the media: wl128x driver. The vulnerability is related to atomicity violation, which occurs when the fmc_send_cmd() function is executed simultaneously with the modification of the fmdev->resp_skb value. This issue can result in an invalid fmdev->resp_skb variable passing the validity check, and eventually, leading to a possible null pointer dereference error. In this post, we will discuss the details of this vulnerability, the code snippets involved, and the recommended fix.

Vulnerability Details

The bug is present in the fmc_send_cmd() function where atomicity violation occurs if the function is executed concurrently with the modification of the fmdev->resp_skb value. The critical section of the code is shown below:

  ...
  spin_lock(&fmdev->resp_skb_lock);
  if (fmdev->resp_skb) {
      spin_unlock(&fmdev->resp_skb_lock);
      return -EBUSY;
  }
  fmdev->resp_skb = skb;
  spin_unlock(&fmdev->resp_skb_lock);
  ...
  skb = fmdev->resp_skb;
  evt_hdr = (void *)skb->data;
  ...

In the above code snippet, an error may occur if a non-null fmdev->resp_skb variable is assigned a null value after passing the validity check within the function. Consequently, when the invalid fmdev->resp_skb passes the check, a null pointer dereference error might occur at line 478, where evt_hdr = (void *)skb->data;.

Fix:
To address this issue, a modification has been proposed to include the validity check of fmdev->resp_skb within the locked section of the function as shown below:

  ...
  spin_lock(&fmdev->resp_skb_lock);
  if (fmdev->resp_skb) {
      spin_unlock(&fmdev->resp_skb_lock);
      return -EBUSY;
  } else {
      fmdev->resp_skb = skb;
      spin_unlock(&fmdev->resp_skb_lock);
  }
  ...
  skb = fmdev->resp_skb;
  evt_hdr = (void *)skb->data;
  ...

This modification ensures that the value of fmdev->resp_skb does not change during the validation process, maintaining its validity and preventing the null pointer dereference error.

The details of this vulnerability are provided in the following references

- Linux Kernel Mailing List (LKML) discussion
- CVE-2024-56700 in MITRE's CVE List

Analysis Tool

The bug was discovered using an experimental static analysis tool developed by our team. This tool analyzes locking APIs to extract function pairs that can be concurrently executed, and then examines the instructions in the paired functions to identify possible concurrency bugs, including data races and atomicity violations.

Conclusion

In conclusion, the CVE-2024-56700 vulnerability affects the Linux kernel media: wl128x driver and has been resolved by including the validity check of fmdev->resp_skb within the locked section of the fmc_send_cmd() function. This fix ensures that the value of fmdev->resp_skb maintains its validity, preventing null pointer dereference errors and improving overall system stability. Users of affected systems are advised to update their kernel to the latest patch that contains the fix for this vulnerability.

Timeline

Published on: 12/28/2024 10:15:17 UTC
Last modified on: 01/20/2025 06:26:28 UTC