CVE-2024-56593
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()
This patch fixes a NULL pointer dereference bug in brcmfmac that occurs
when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs
are sent from the pkt queue.
The problem is the number of entries in the pre-allocated sgtable, it is
nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1.
Given the default [rt]xglom_size=32 it's actually 35 which is too small.
Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB
is added for each original SKB if tailroom isn't enough to hold tail_pad.
At least one sg entry is needed for each SKB. So, eventually the 'skb_queue_walk loop'
in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return
NULL and this causes the oops.
The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle
the worst-case.
Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464
additional bytes of memory.
EPSS (Exploit Prediction Scoring System)
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score Trend (Last 90 Days)
NULL Pointer Dereference
StableCommon Consequences
Applicable Platforms
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel by Linux
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*