CVE-2024-50239: phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend
First published: Sat Nov 09 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data from the qcom-qmp-usb driver, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. This bug was later reproduced when the driver was copied to create the qmp-usb-legacy driver. Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend. Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with these drivers.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=6.6<6.6.60 | |
| Linux Kernel | >=6.7<6.11.7 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| Linux Kernel | =6.12-rc3 | |
| Linux Kernel | =6.12-rc4 | |
| Linux Kernel | =6.12-rc5 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.133-1 6.12.22-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/7e8066811a2c43fbb5f53c2c26d389e4bab9da34
- https://git.kernel.org/stable/c/b1cffd00daa9cf499b49a0da698eff5032914f6e
- https://git.kernel.org/stable/c/29240130ab77c80bea1464317ae2a5fd29c16a0c
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50239
- https://nvd.nist.gov/vuln/detail/CVE-2024-50239
- https://launchpad.net/bugs/cve/CVE-2024-50239
- https://security-tracker.debian.org/tracker/CVE-2024-50239
- https://ubuntu.com/security/CVE-2024-50239
- https://git.kernel.org/linus/29240130ab77c80bea1464317ae2a5fd29c16a0c
Frequently Asked Questions
What is the severity of CVE-2024-50239?
CVE-2024-50239 has not been assigned a specific CVSS score, but it is a critical security issue due to its potential impact on device stability.
How do I fix CVE-2024-50239?
To fix CVE-2024-50239, update the Linux Kernel to a version that includes the commit that addresses this vulnerability.
Which versions of the Linux Kernel are affected by CVE-2024-50239?
CVE-2024-50239 affects Linux Kernel versions specifically between 6.7 and 6.11.7, and 6.12 release candidates up to 6.12-rc5.
What type of vulnerability is CVE-2024-50239?
CVE-2024-50239 is a NULL dereference vulnerability that can occur during the runtime suspension of devices.
When was CVE-2024-50239 resolved?
CVE-2024-50239 was resolved with a commit to the Linux Kernel, addressing the issue related to the qcom-qmp-usb driver.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/references
- agent/source
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.6
- version/linux kernel/6.7
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- version/linux kernel/6.12-rc3
- version/linux kernel/6.12-rc4
- version/linux kernel/6.12-rc5
- package-manager/debian