CVE-2024-56593

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56593
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56593.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56593
Downstream
Related
Published
2024-12-27T15:15:18Z
Modified
2025-10-01T20:17:29Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmfsdiodsglist_rw()

This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sdsgentryalign' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue.

The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglomsize, txglomsize) + max(rxglomsize, txglomsize) >> 4 + 1. Given the default [rt]xglomsize=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tailpad. At least one sg entry is needed for each SKB. So, eventually the "skbqueuewalk loop" in brcmfsdiodsglistrw may run out of sg entries. This makes sgnext return NULL and this causes the oops.

The patch sets nents to max(rxglomsize, txglomsize) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIGNEEDSGDMALENGTH) = 464 additional bytes of memory.

References

Affected packages