Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-35971
HistoryMay 20, 2024 - 10:15 a.m.

CVE-2024-35971

2024-05-2010:15:11
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
26
linux kernel
vulnerability
cve-2024-35971
ks8851
hang issue
fix
netif_rx
do_softirq
local_bh_disable
local_bh_enable

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

The ks8851_irq() thread may call ks8851_rx_pkts() in case there are
any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()
implementation is guarded by local_bh_disable() and local_bh_enable().
The local_bh_enable() may call do_softirq() to run softirqs in case
any are pending. One of the softirqs is net_rx_action, which ultimately
reaches the driver .start_xmit callback. If that happens, the system
hangs. The entire call chain is below:

ks8851_start_xmit_par from netdev_start_xmit
netdev_start_xmit from dev_hard_start_xmit
dev_hard_start_xmit from sch_direct_xmit
sch_direct_xmit from __dev_queue_xmit
__dev_queue_xmit from __neigh_update
__neigh_update from neigh_update
neigh_update from arp_process.constprop.0
arp_process.constprop.0 from __netif_receive_skb_one_core
__netif_receive_skb_one_core from process_backlog
process_backlog from __napi_poll.constprop.0
__napi_poll.constprop.0 from net_rx_action
net_rx_action from __do_softirq
__do_softirq from call_with_stack
call_with_stack from do_softirq
do_softirq from __local_bh_enable_ip
__local_bh_enable_ip from netif_rx
netif_rx from ks8851_irq
ks8851_irq from irq_thread_fn
irq_thread_fn from irq_thread
irq_thread from kthread
kthread from ret_from_fork

The hang happens because ks8851_irq() first locks a spinlock in
ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, …)
and with that spinlock locked, calls netif_rx(). Once the execution
reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again
which attempts to claim the already locked spinlock again, and the
hang happens.

Move the do_softirq() call outside of the spinlock protected section
of ks8851_irq() by disabling BHs around the entire spinlock protected
section of ks8851_irq() handler. Place local_bh_enable() outside of
the spinlock protected section, so that it can trigger do_softirq()
without the ks8851_par.c ks8851_lock_par() spinlock being held, and
safely call ks8851_start_xmit_par() without attempting to lock the
already locked spinlock.

Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()
now, replace netif_rx() with __netif_rx() which is not duplicating the
local_bh_disable()/local_bh_enable() calls.

Affected configurations

Vulners
Node
linuxlinux_kernelRange5.86.1.87
OR
linuxlinux_kernelRange6.2.06.6.28
OR
linuxlinux_kernelRange6.7.06.8.7
OR
linuxlinux_kernelRange6.9.0

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/micrel/ks8851_common.c"
    ],
    "versions": [
      {
        "version": "797047f875b5",
        "lessThan": "492337a4fbd1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "cba376eb036c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "49d5d70538b6",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "be0384bf599c",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/micrel/ks8851_common.c"
    ],
    "versions": [
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.87",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.28",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.7",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

redhatcve 1
debiancve 1
cvelist 1
nvd 1
ubuntucve 1
vulnrichment 1
redhatcve
redhatcve
CVE-2024-35971
2024-05-20 17:10:42
debiancve
debiancve
CVE-2024-35971
2024-05-20 10:15:11
cvelist
cvelist
CVE-2024-35971 net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
2024-05-20 09:41:59
nvd
nvd
CVE-2024-35971
2024-05-20 10:15:11
ubuntucve
ubuntucve
CVE-2024-35971
2024-05-20 00:00:00
vulnrichment
vulnrichment
CVE-2024-35971 net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
2024-05-20 09:41:59

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON
Related for CVE-2024-35971
redhatcve1debiancve1cvelist1nvd1ubuntucve1vulnrichment1