CVE-2024-42242: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's MMC SDHCI driver has been identified and assigned CVE-2024-42242. The issue relates to incorrect handling of maximum segment size settings when PAGE_SIZE is 64KiB. The vulnerability was discovered and patched in July 2024, affecting Linux kernel versions from 6.9 up to (excluding) 6.9.10 (NVD).

The vulnerability stems from a mismatch between block layer requirements and SDHCI driver implementation. The block layer's blkvalidatelimits() function requires maxsegmentsize to be at least PAGESIZE, while the SDHCI driver was setting it too low in certain circumstances. The issue specifically affects systems with 64KiB PAGESIZE, where some controllers that don't support "zero means 65536" were limited to 65535 bytes. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to availability impacts on affected systems. When triggered, it could cause system errors due to the mismatch between the block layer's requirements and the SDHCI driver's segment size settings (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that ensures the maximum segment size is set to at least PAGESIZE when necessary. The fix includes additional logic in the SDHCI driver to handle cases where the maximum segment size would be set below PAGESIZE (Kernel Patch).