Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()When getting the IRQ we use k3_udma_glue_tx_get_irq() which returnsnegative error value on error. So not NULL check is not sufficientto deteremine if IRQ is valid. Check that IRQ is greater then zeroto ensure it is valid.There is no issue at probe time but at runtime user can invoke.set_channels which results in the following call chain.am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns()At this point if am65_cpsw_nuss_init_tx_chns() fails due tok3_udma_glue_tx_get_irq() then tx_chn->irq will be set to anegative value.Then, at subsequent .set_channels with higher channel count wewill attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()leading to a kernel warning.The issue is present in the original commit that introduced this driver,although there, am65_cpsw_nuss_update_tx_rx_chns() existed asam65_cpsw_nuss_update_tx_chns().
No PoCs from references.
- https://github.com/w4zu/Debian_security