CVE-2024-41088

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue occurs when the mcp251xfd start xmit() function fails, causing the driver to stop processing messages and the interrupt routine to run indefinitely. This can happen when multiple devices share the same SPI interface and there is concurrent access to the bus. The problem is due to tx ring->head incrementing even if mcp251xfd start xmit() fails, resulting in the driver skipping one TX package while expecting a response in mcp251xfd handle tefif one(). Error messages are generated, including [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd start xmit: -16 and [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. The issue can be resolved by starting a workqueue to write the tx obj synchronously if err = -EBUSY, and in case of another error, decrementing tx ring->head, removing skb from the echo stack, and dropping the message.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.