CVE-2024-58004
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: media: intel/ipu6: remove cpu latency qos request on error Fix cpu latency qos list corruption like below. It happens when we do not remove cpu latency request on error path and free corresponding memory. [ 30.634378] l7 kernel: list_add corruption. prev->next should be next (ffffffff9645e960), but was 0000000100100001. (prev=ffff8e9e877e20a8). [ 30.634388] l7 kernel: WARNING: CPU: 2 PID: 2008 at lib/list_debug.c:32 __list_add_valid_or_report+0x83/0xa0 <snip> [ 30.634640] l7 kernel: Call Trace: [ 30.634650] l7 kernel: <TASK> [ 30.634659] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634669] l7 kernel: ? __warn.cold+0x93/0xf6 [ 30.634678] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634690] l7 kernel: ? report_bug+0xff/0x140 [ 30.634702] l7 kernel: ? handle_bug+0x58/0x90 [ 30.634712] l7 kernel: ? exc_invalid_op+0x17/0x70 [ 30.634723] l7 kernel: ? asm_exc_invalid_op+0x1a/0x20 [ 30.634733] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634742] l7 kernel: plist_add+0xdd/0x140 [ 30.634754] l7 kernel: pm_qos_update_target+0xa0/0x1f0 [ 30.634764] l7 kernel: cpu_latency_qos_update_request+0x61/0xc0 [ 30.634773] l7 kernel: intel_dp_aux_xfer+0x4c7/0x6e0 [i915 1f824655ed04687c2b0d23dbce759fa785f6d033]
Security Summary
CVE-2024-58004 is a vulnerability in the Linux kernel's media subsystem, specifically the Intel IPU6 driver. The issue arises from a failure to remove a CPU latency QoS request on error paths before freeing the corresponding memory, leading to CPU latency QoS list corruption. This manifests as a list_add corruption error, as evidenced by kernel warnings such as "list_add corruption. prev->next should be next (ffffffff9645e960), but was 0000000100100001," triggered during operations like intel_dp_aux_xfer in the i915 driver. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the error path in the Intel IPU6 driver. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to corrupt kernel QoS lists. This can result in high-impact consequences, including unauthorized access to sensitive data (high confidentiality), modification of system integrity (high integrity), and disruption of system availability (high availability), such as kernel panics or further compromise.
Mitigation involves applying upstream patches from the Linux kernel stable repository, including commits such as 1496ec94bd38bdb25ca13b1dd4f8e7a6176ea89d, 95275736185ecb71dc97a71d8d9d19e4ffb0a9eb, and facb541ff0805314e0b56e508f7d3cbd07af513c, which fix the QoS request removal on error paths in the ipu6 driver. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)