CVE-2024-56593

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description A NULL pointer dereference bug in the brcmfmac module occurs when a high 'sd sgentry align' value applies and a lot of queued SKBs are sent from the pkt queue. The problem is the number of entries in the pre-allocated sgtable, which is too small. In the worst case, the pkt queue can end up with 64 SKBs, causing the "skb queue walk loop" in brcmf sdiod sglist rw to run out of sg entries, making sg next return NULL and causing an oops. The patch sets nents to max(rxglom size, txglom size) * 2 to handle the worst-case.

Recommendations Update to Linux kernel version 6.6.74 or later to fix the NULL pointer dereference bug in the brcmfmac module. As a temporary workaround, consider disabling the brcmf sdiod sglist rw function until a patch is available. Restrict access to the vulnerable module brcmfmac to minimize the risk of exploitation. Avoid using high 'sd sgentry align' values until the issue is resolved.