Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-35971
HistoryMay 20, 2024 - 10:15 a.m.

CVE-2024-35971

2024-05-2010:15:11
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
26
linux kernel
vulnerability
cve-2024-35971
ks8851
hang issue
fix
netif_rx
do_softirq
local_bh_disable
local_bh_enable

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Handle softirqs at the end of IRQ thread to fix hang

The ks8851_irq() thread may call ks8851_rx_pkts() in case there are
any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()
implementation is guarded by local_bh_disable() and local_bh_enable().
The local_bh_enable() may call do_softirq() to run softirqs in case
any are pending. One of the softirqs is net_rx_action, which ultimately
reaches the driver .start_xmit callback. If that happens, the system
hangs. The entire call chain is below:

ks8851_start_xmit_par from netdev_start_xmit
netdev_start_xmit from dev_hard_start_xmit
dev_hard_start_xmit from sch_direct_xmit
sch_direct_xmit from __dev_queue_xmit
__dev_queue_xmit from __neigh_update
__neigh_update from neigh_update
neigh_update from arp_process.constprop.0
arp_process.constprop.0 from __netif_receive_skb_one_core
__netif_receive_skb_one_core from process_backlog
process_backlog from __napi_poll.constprop.0
__napi_poll.constprop.0 from net_rx_action
net_rx_action from __do_softirq
__do_softirq from call_with_stack
call_with_stack from do_softirq
do_softirq from __local_bh_enable_ip
__local_bh_enable_ip from netif_rx
netif_rx from ks8851_irq
ks8851_irq from irq_thread_fn
irq_thread_fn from irq_thread
irq_thread from kthread
kthread from ret_from_fork

The hang happens because ks8851_irq() first locks a spinlock in
ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, …)
and with that spinlock locked, calls netif_rx(). Once the execution
reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again
which attempts to claim the already locked spinlock again, and the
hang happens.

Move the do_softirq() call outside of the spinlock protected section
of ks8851_irq() by disabling BHs around the entire spinlock protected
section of ks8851_irq() handler. Place local_bh_enable() outside of
the spinlock protected section, so that it can trigger do_softirq()
without the ks8851_par.c ks8851_lock_par() spinlock being held, and
safely call ks8851_start_xmit_par() without attempting to lock the
already locked spinlock.

Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()
now, replace netif_rx() with __netif_rx() which is not duplicating the
local_bh_disable()/local_bh_enable() calls.

Affected configurations

Vulners
Node
linuxlinux_kernelRange5.86.1.87
OR
linuxlinux_kernelRange6.2.06.6.28
OR
linuxlinux_kernelRange6.7.06.8.7
OR
linuxlinux_kernelRange6.9.0

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/micrel/ks8851_common.c"
    ],
    "versions": [
      {
        "version": "797047f875b5",
        "lessThan": "492337a4fbd1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "cba376eb036c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "49d5d70538b6",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "797047f875b5",
        "lessThan": "be0384bf599c",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/micrel/ks8851_common.c"
    ],
    "versions": [
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.87",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.28",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.7",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%