scsi: pm80xx: Set phy->enable_completion only when we wait for it

CVE-2024-47666

5.5MEDIUM

Key Information

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 9 October 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.

Affected Version(s)

Linux < 7b1d779647af

Linux < 1da177e4c3f4

News Articles

prophaze.com

CVE-2024-47666

CVE-2024-47666 : LINUX KERNEL UP TO 6.6.50/6.10.9 PM80XX PM8001_PHY_CONTROL STACK-BASED OVERFLOW - Cloud WAF

CVE-2024-47666 : In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns...

1 month ago

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Nov 6, 2024
First article discovered by prophaze.com
Oct 10, 2024
Vulnerability published.
Oct 9, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)