CVE-2024-40979

{"id": "CVE-2024-40979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-12T13:15:19.477", "references": [{"url": "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/303c017821d88ebad887814114d4e5966d320b28", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/bb50a4e711ff95348ad53641acb1306d89eb4c3a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}, {"lang": "en", "value": "CWE-763"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: soluciona el fallo del kernel durante la reanudaci\u00f3n Actualmente, durante la reanudaci\u00f3n, la memoria de destino de QMI no se maneja adecuadamente, lo que provoca un fallo del kernel en caso de que no se admita la reasignaci\u00f3n de DMA: ERROR: Estado incorrecto de la p\u00e1gina en proceso kworker/u16:54 pfn:36e80 p\u00e1gina: refcount:1 mapcount:0 mapeo:0000000000000000 index:0x0 pfn:0x36e80 p\u00e1gina descargada porque: distinto de cero _refcount Rastreo de llamadas: bad_page free_page_is_bad_report __free_pages_ok __free_pages dma_direct_free dma_free_attrs a th12k_qmi_free_target_mem_chunk ath12k_qmi_msg_mem_request_cb El motivo es: Una vez ath12k El m\u00f3dulo est\u00e1 cargado, el firmware env\u00eda la solicitud de memoria al host. En caso de que no se admita la reasignaci\u00f3n de DMA, ath12k rechaza la primera solicitud debido a un error en la asignaci\u00f3n con un tama\u00f1o de segmento grande: ath12k_pci 0000:04:00.0: solicitud de firmware qmi solicitud de memoria ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 7077888 ath12k_pci 0000 :04:00.0: qmi mem seg tipo 4 tama\u00f1o 8454144 ath12k_pci 0000:04:00.0: falla en la asignaci\u00f3n de qmi dma (7077888 B tipo 1), lo intentar\u00e9 m\u00e1s tarde con un tama\u00f1o peque\u00f1o ath12k_pci 0000:04:00.0: qmi retrasa mem_request 2 ath12k_pci 0000: 04:00.0: solicitud de memoria de solicitud de firmware qmi El firmware posterior regresa con m\u00e1s segmentos, pero peque\u00f1os, y la asignaci\u00f3n se realiza correctamente: ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 pci 0000:04:00.0:qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 262144 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000 :04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00 .0: segmento de memoria qmi tipo 1 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 24288 ath12k_pci 0000:04 :00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 5242 88 ath12k_pci 0000:04:00.0 : qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem se g tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 524288 ath12k_pci 0000:04:00.0: qmi mem seg tipo 4 tama\u00f1o 65536 ci 0000:04:00.0: qmi mem seg tipo 1 tama\u00f1o 524288 Ahora ath12k est\u00e1 funcionando. Si se activa la suspensi\u00f3n, el firmware se recargar\u00e1 durante la reanudaci\u00f3n. Al igual que antes, el firmware solicita dos segmentos grandes al principio. En ath12k_qmi_msg_mem_request_cb() se asigna el recuento y el tama\u00f1o del segmento: ab->qmi.mem_seg_count == 2 ab->qmi.target_mem[0].size == 7077888 ab->qmi.target_mem[1].size == 8454144 Luego, la asignaci\u00f3n fall\u00f3 como antes y se llama a ath12k_qmi_free_target_mem_chunk() para liberar todos los segmentos asignados. ---truncado---"}], "lastModified": "2025-09-17T14:57:57.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4D18378-D3B8-448E-A8B7-1B21462922D2", "versionEndExcluding": "6.9.7", "versionStartIncluding": "6.3"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}