CVE - CVE-2024-56593

CVE-ID
CVE-2024-56593	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs are sent from the pkt queue. The problem is the number of entries in the pre-allocated sgtable, it is nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1. Given the default [rt]xglom_size=32 it's actually 35 which is too small. Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB is added for each original SKB if tailroom isn't enough to hold tail_pad. At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop" in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return NULL and this causes the oops. The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle the worst-case. Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 additional bytes of memory.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/07c020c6d14d29e5a3ea4e4576b8ecf956a80834 URL:https://git.kernel.org/stable/c/07c020c6d14d29e5a3ea4e4576b8ecf956a80834 MISC:https://git.kernel.org/stable/c/342f87d263462c2670b77ea9a32074cab2ac6fa1 URL:https://git.kernel.org/stable/c/342f87d263462c2670b77ea9a32074cab2ac6fa1 MISC:https://git.kernel.org/stable/c/34941321b516bd7c6103bd01287d71a1804d19d3 URL:https://git.kernel.org/stable/c/34941321b516bd7c6103bd01287d71a1804d19d3 MISC:https://git.kernel.org/stable/c/67a25ea28f8ec1da8894f2f115d01d3becf67dc7 URL:https://git.kernel.org/stable/c/67a25ea28f8ec1da8894f2f115d01d3becf67dc7 MISC:https://git.kernel.org/stable/c/7522d7d745d13fbeff3350fe6aa56c8dae263571 URL:https://git.kernel.org/stable/c/7522d7d745d13fbeff3350fe6aa56c8dae263571 MISC:https://git.kernel.org/stable/c/857282b819cbaa0675aaab1e7542e2c0579f52d7 URL:https://git.kernel.org/stable/c/857282b819cbaa0675aaab1e7542e2c0579f52d7 MISC:https://git.kernel.org/stable/c/dfb3f9d3f602602de208da7bdcc0f6d5ee74af68 URL:https://git.kernel.org/stable/c/dfb3f9d3f602602de208da7bdcc0f6d5ee74af68
Assigning CNA
kernel.org
Date Record Created
20241227	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20241227)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)