CVE-2024-56787: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56787 affects the Linux kernel's SoC driver for i.MX8M platforms. The vulnerability was discovered when using driverasyncprobe=* kernel command line parameter on i.MX8M Plus hardware, where the soc-imx8m.c driver calls ofclkgetbyname() which returns -EPROBEDEFER because the clock driver is not yet probed. This issue was not detected during regular testing without driverasync_probe. The vulnerability was disclosed on January 8, 2025 (NVD).

The vulnerability stems from improper handling of driver probing sequence in the i.MX8M SoC driver. The issue occurs because the soc-imx8m.c driver attempts to access clock resources before the clock driver is fully initialized when async probing is enabled. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to system instability and potential denial of service on affected i.MX8M Plus systems. The issue manifests as a warning trace in the kernel log, indicating a failure in the SoC driver initialization sequence (Kernel Patch).

The issue has been fixed by converting the SoC code to a platform driver and instantiating a platform device in its current deviceinitcall(). The fix also includes reworking the .socrevision callback to always return valid error codes and return SoC revision via parameter. This ensures that if anything in the .socrevision callback returns -EPROBEDEFER, it gets propagated to .probe and the probe will be retried later (Kernel Patch).