In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu: Defer probe of clients after smmu device bound
Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when ofdmaconfigure() for client is called after the iommudeviceregister() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called.
Following is how the race occurs:
T1:Smmu device probe T2: Client device probe
reallyprobe() armsmmudeviceprobe() iommudeviceregister() reallyprobe() platformdmaconfigure() ofdmaconfigure() ofdmaconfigureid() ofiommuconfigure() iommuprobedevice() iommuinitdevice() armsmmuprobedevice() armsmmugetbyfwnode() driverfinddevicebyfwnode() driverfinddevice() nextdevice() klistnext() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamidmask */ driverbound() klistadd_tail()
When this null smmu pointer is dereferenced later in armsmmuprobe_device, the device crashes.
Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver.
[will: Add comment]
[ { "deprecated": false, "id": "CVE-2024-56568-0084a71e", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1456.0, "function_hash": "9039133721089767420472915843082351523" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a9485918a042e3114890dfbe19839a1897f8b2c", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-28a0e311", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1373.0, "function_hash": "15154142867954961621382539455656756328" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-2afb4695", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "197383445485458935205103103388916474350", "146711407636300543528042627995827034623", "256307887408690471464217786888815704903", "38078960832391978792571960602357650563" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a9485918a042e3114890dfbe19839a1897f8b2c", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-38e872a5", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1456.0, "function_hash": "9039133721089767420472915843082351523" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c2527d07c7e9cda2c6165d5edccf74752baac1b0", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-4bf4a1dc", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "197383445485458935205103103388916474350", "146711407636300543528042627995827034623", "256307887408690471464217786888815704903", "38078960832391978792571960602357650563" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dc02407ea952e20c544a078a6be2e6f008327973", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-6a0077f5", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "289245170216164876742802173564708522539", "96367324456936136108157692672334388600", "64427863393090188405286134889172804142", "122914479823671074481631325098558890368" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@229e6ee43d2a160a1592b83aad620d6027084aad", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-7161e7ae", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1373.0, "function_hash": "15154142867954961621382539455656756328" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@229e6ee43d2a160a1592b83aad620d6027084aad", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-7271acbf", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "197383445485458935205103103388916474350", "146711407636300543528042627995827034623", "256307887408690471464217786888815704903", "38078960832391978792571960602357650563" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-a0b5fd42", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1456.0, "function_hash": "9039133721089767420472915843082351523" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-aba3ace9", "signature_type": "Function", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c", "function": "arm_smmu_probe_device" }, "digest": { "length": 1456.0, "function_hash": "9039133721089767420472915843082351523" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dc02407ea952e20c544a078a6be2e6f008327973", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-ee59706c", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "197383445485458935205103103388916474350", "146711407636300543528042627995827034623", "256307887408690471464217786888815704903", "38078960832391978792571960602357650563" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c2527d07c7e9cda2c6165d5edccf74752baac1b0", "signature_version": "v1" }, { "deprecated": false, "id": "CVE-2024-56568-f30cea57", "signature_type": "Line", "target": { "file": "drivers/iommu/arm/arm-smmu/arm-smmu.c" }, "digest": { "line_hashes": [ "289245170216164876742802173564708522539", "96367324456936136108157692672334388600", "64427863393090188405286134889172804142", "122914479823671074481631325098558890368" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8", "signature_version": "v1" } ]