CVE-2024-56593

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()

This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue.

The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. Given the default [rt]xglom_size=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tail_pad. At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return NULL and this causes the oops.

The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 additional bytes of memory.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 342f87d263462c2670b77ea9a32074cab2ac6fa1affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 7522d7d745d13fbeff3350fe6aa56c8dae263571affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < dfb3f9d3f602602de208da7bdcc0f6d5ee74af68affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 67a25ea28f8ec1da8894f2f115d01d3becf67dc7affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 07c020c6d14d29e5a3ea4e4576b8ecf956a80834affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 34941321b516bd7c6103bd01287d71a1804d19d3affected
LinuxLinuxaf1fa210f4fc6e304b859b386a3c8a266b1110ab < 857282b819cbaa0675aaab1e7542e2c0579f52d7affected
LinuxLinux3.15affected
LinuxLinux0 < 3.15unaffected
LinuxLinux5.4.287 <= 5.4.*unaffected
LinuxLinux5.10.231 <= 5.10.*unaffected
LinuxLinux5.15.174 <= 5.15.*unaffected
LinuxLinux6.1.120 <= 6.1.*unaffected
LinuxLinux6.6.66 <= 6.6.*unaffected
LinuxLinux6.12.5 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References