CVE-2024-56593: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56593 is a NULL pointer dereference vulnerability discovered in the Linux kernel's brcmfmac WiFi driver. The vulnerability was disclosed on December 27, 2024, and affects multiple versions of the Linux kernel from 5.4 up to 6.12.5. The issue occurs in the brcmfsdiodsglistrw() function when a high 'sdsgentry_align' value (e.g., 512) is applied and numerous queued SKBs are sent from the packet queue (NVD).

The vulnerability stems from an insufficient number of entries in the pre-allocated sgtable. The original calculation used the formula nents = max(rxglomsize, txglomsize) + max(rxglomsize, txglomsize) >> 4 + 1, which with default [rt]xglomsize=32 results in only 35 entries. However, the packet queue can potentially contain up to 64 SKBs in worst-case scenarios, particularly when a new SKB is added for each original SKB if tailroom is insufficient to hold tailpad. This mismatch causes the skbqueuewalk loop in brcmfsdiodsglistrw to run out of sg entries, resulting in sgnext returning NULL and causing the system to crash (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash (oops) due to NULL pointer dereference when specific conditions are met in the brcmfmac WiFi driver. This primarily affects system availability and can cause denial of service on affected systems (NVD).

A patch has been released that modifies the calculation of nents to max(rxglomsize, txglomsize) 2, ensuring sufficient entries to handle the worst-case scenario. The fix requires only an additional 464 bytes of memory (64-35=29 16 or 20 if CONFIGNEEDSGDMALENGTH). The patch has been incorporated into multiple kernel versions (Kernel Patch).