In the Linux kernel, the following vulnerability has been resolved:
s390/qeth: Fix kernel panic after setting hsuid
Symptom:
When the hsuid attribute is set for the first time on an IQD Layer3
device while the corresponding network interface is already UP,
the kernel will try to execute a napi function pointer that is NULL.
Analysis:
There is one napi structure per out_q: card->qdio.out_qs[i].napi
The napi.poll functions are set during qeth_open().
Since
commit 1cfef80d4c2b (“s390/qeth: Don’t call dev_close/dev_open (DOWN/UP)”)
qeth_set_offline()/qeth_set_online() no longer call dev_close()/
dev_open(). So if qeth_free_qdio_queues() cleared
card->qdio.out_qs[i].napi.poll while the network interface was UP and the
card was offline, they are not set again.
Reproduction:
chzdev -e $devno layer2=0
ip link set dev $network_interface up
echo 0 > /sys/bus/ccw
—truncated—
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"versions": [
{
"version": "64e3affee288",
"lessThan": "8792b557eb50",
"status": "affected",
"versionType": "git"
},
{
"version": "86818409f989",
"lessThan": "10cb803aff3b",
"status": "affected",
"versionType": "git"
},
{
"version": "1cfef80d4c2b",
"lessThan": "e28dd1e1bf3e",
"status": "affected",
"versionType": "git"
},
{
"version": "1cfef80d4c2b",
"lessThan": "eae0aec24571",
"status": "affected",
"versionType": "git"
},
{
"version": "1cfef80d4c2b",
"lessThan": "8a2e4d37afb8",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"versions": [
{
"version": "6.5",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.5",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.159",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.91",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.31",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.10",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6
git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524
git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494
git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3
git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282