CVE-2024-57992
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: wilc1000: unregister wiphy only if it has been registered<br />
<br />
There is a specific error path in probe functions in wilc drivers (both<br />
sdio and spi) which can lead to kernel panic, as this one for example<br />
when using SPI:<br />
<br />
Unable to handle kernel paging request at virtual address 9f000000 when read<br />
[9f000000] *pgd=00000000<br />
Internal error: Oops: 5 [#1] ARM<br />
Modules linked in: wilc1000_spi(+) crc_itu_t crc7 wilc1000 cfg80211 bluetooth ecdh_generic ecc<br />
CPU: 0 UID: 0 PID: 106 Comm: modprobe Not tainted 6.13.0-rc3+ #22<br />
Hardware name: Atmel SAMA5<br />
PC is at wiphy_unregister+0x244/0xc40 [cfg80211]<br />
LR is at wiphy_unregister+0x1c0/0xc40 [cfg80211]<br />
[...]<br />
wiphy_unregister [cfg80211] from wilc_netdev_cleanup+0x380/0x494 [wilc1000]<br />
wilc_netdev_cleanup [wilc1000] from wilc_bus_probe+0x360/0x834 [wilc1000_spi]<br />
wilc_bus_probe [wilc1000_spi] from spi_probe+0x15c/0x1d4<br />
spi_probe from really_probe+0x270/0xb2c<br />
really_probe from __driver_probe_device+0x1dc/0x4e8<br />
__driver_probe_device from driver_probe_device+0x5c/0x140<br />
driver_probe_device from __driver_attach+0x220/0x540<br />
__driver_attach from bus_for_each_dev+0x13c/0x1a8<br />
bus_for_each_dev from bus_add_driver+0x2a0/0x6a4<br />
bus_add_driver from driver_register+0x27c/0x51c<br />
driver_register from do_one_initcall+0xf8/0x564<br />
do_one_initcall from do_init_module+0x2e4/0x82c<br />
do_init_module from load_module+0x59a0/0x70c4<br />
load_module from init_module_from_file+0x100/0x148<br />
init_module_from_file from sys_finit_module+0x2fc/0x924<br />
sys_finit_module from ret_fast_syscall+0x0/0x1c<br />
<br />
The issue can easily be reproduced, for example by not wiring correctly<br />
a wilc device through SPI (and so, make it unresponsive to early SPI<br />
commands). It is due to a recent change decoupling wiphy allocation from<br />
wiphy registration, however wilc_netdev_cleanup has not been updated<br />
accordingly, letting it possibly call wiphy unregister on a wiphy which<br />
has never been registered.<br />
<br />
Fix this crash by moving wiphy_unregister/wiphy_free out of<br />
wilc_netdev_cleanup, and by adjusting error paths in both drivers