CVE-2024-56754: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56754 is a vulnerability discovered in the Linux kernel's crypto subsystem, specifically in the CAAM (Cryptographic Acceleration and Assurance Module) driver. The vulnerability was disclosed on December 29, 2024, and involves an incorrect pointer type being passed to the caam_qi_shutdown() function. The issue affects various Linux kernel versions and their distributions (NVD).

The vulnerability stems from a type mismatch in the CAAM driver implementation. The devm_add_action_or_reset() function was receiving a parameter of type 'struct caam_drv_private *', but in caam_qi_shutdown(), it was being incorrectly cast to 'struct device *'. This mismatch could prevent resources from being properly released during shutdown. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects resource management during system shutdown, potentially leading to resource leaks when the CAAM crypto driver is being unloaded or the system is shutting down. The CVSS score indicates that while the vulnerability requires local access and low privileges, it could result in high availability impact to the affected system (NVD).

A fix has been implemented by correcting the parameter passed to devm_add_action_or_reset(), ensuring that qidev is passed instead of ctrlpriv. This fix has been merged into various kernel versions and is available through distribution updates. Ubuntu has already implemented fixes for version 24.10 (oracular) and is working on updates for other affected versions (Ubuntu).