CVE-2024-26909

EUVD-2024-24171

17.04.2024, 11:15

In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free

A recent DRM series purporting to simplify support for "transparent
bridges" and handling of probe deferrals ironically exposed a
use-after-free issue on pmic_glink_altmode probe deferral.

This has manifested itself as the display subsystem occasionally failing
to initialise and NULL-pointer dereferences during boot of machines like
the Lenovo ThinkPad X13s.

Specifically, the dp-hpd bridge is currently registered before all
resources have been acquired which means that it can also be
deregistered on probe deferrals.

In the meantime there is a race window where the new aux bridge driver
(or PHY driver previously) may have looked up the dp-hpd bridge and
stored a (non-reference-counted) pointer to the bridge which is about to
be deallocated.

When the display controller is later initialised, this triggers a
use-after-free when attaching the bridges:

	dp -> aux -> dp-hpd (freed)

which may, for example, result in the freed bridge failing to attach:

	[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16

or a NULL-pointer dereference:

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
	...
	Call trace:
	  drm_bridge_attach+0x70/0x1a8 [drm]
	  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
	  drm_bridge_attach+0x80/0x1a8 [drm]
	  dp_bridge_init+0xa8/0x15c [msm]
	  msm_dp_modeset_init+0x28/0xc4 [msm]

The DRM bridge implementation is clearly fragile and implicitly built on
the assumption that bridges may never go away. In this case, the fix is
to move the bridge registration in the pmic_glink_altmode driver to
after all resources have been looked up.

Incidentally, with the new dp-hpd bridge implementation, which registers
child devices, this is also a requirement due to a long-standing issue
in driver core that can otherwise lead to a probe deferral loop (see
commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).

[DB: slightly fixed commit message by adding the word 'commit']

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.3 ≤ 𝑥 < 6.6.23
linux	linux_kernel	6.7 ≤ 𝑥 < 6.7.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.148-1 not-affected
bookworm (security)	6.1.158-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.247-1 fixed
buster	not-affected
forky	6.17.13-1 fixed
sid	6.17.13-1 fixed
trixie	6.12.57-1 fixed
trixie (security)	6.12.48-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux-hwe

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-lts-xenial

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	not-affected
xenial	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-allwinner-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-aws-hwe

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde

bionic	dne
focal	ignored
jammy	not-affected
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fde-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-bluefield

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	not-affected

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	dne
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke

bionic	dne
focal	ignored
jammy	not-affected
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	ignored

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gke-5.15

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gkeop

bionic	dne
focal	not-affected
jammy	not-affected
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gkeop-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-ibm

bionic	dne
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-ibm-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-iotg

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-iotg-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-iot

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-laptop

bionic	dne
focal	dne
jammy	dne
mantic	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency

bionic	dne
focal	dne
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-oem-5.6

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.10

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.14

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-5.17

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.0

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.1

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-raspi2

bionic	ignored
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	ignored

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv

bionic	dne
focal	ignored
jammy	ignored
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	dne
xenial	dne

linux-riscv-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive

bionic	dne
focal	dne
jammy	dne
mantic	ignored
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-starfive-6.5

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-xilinx-zynqmp

bionic	dne
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	dne
xenial	not-affected

linux-raspi

bionic	dne
focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected
oracular	not-affected
trusty	dne
xenial	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	Fixed 6.8.0-2002.2 released
oracular	dne
trusty	dne
xenial	dne

linux-realtime

bionic	dne
focal	dne
jammy	not-affected
noble	not-affected
oracular	not-affected
trusty	dne
xenial	dne

linux-aws-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-gcp-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oracle-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-azure-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
trusty	dne
xenial	dne

linux-oem-6.11

bionic	dne
focal	dne
jammy	dne
noble	not-affected
oracular	dne
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342

https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb

https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781

https://git.kernel.org/stable/c/2bbd65c6ca567ed8dbbfc4fb945f57ce64bef342

https://git.kernel.org/stable/c/b979f2d50a099f3402418d7ff5f26c3952fb08bb

https://git.kernel.org/stable/c/ef45aa2841e15b649e5417fe3d4de395fe462781