Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistLinuxCVELIST:CVE-2024-42302
HistoryAug 17, 2024 - 9:09 a.m.

CVE-2024-42302 PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

2024-08-1709:09:08
Linux
www.cve.org
3
pci/dpc
use-after-free
vulnerability
linux kernel
fix
hot-removal

EPSS

0

Percentile

5.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

Keith reports a use-after-free when a DPC event occurs concurrently to
hot-removal of the same portion of the hierarchy:

The dpc_handler() awaits readiness of the secondary bus below the
Downstream Port where the DPC event occurred. To do so, it polls the
config space of the first child device on the secondary bus. If that
child device is concurrently removed, accesses to its struct pci_dev
cause the kernel to oops.

That’s because pci_bridge_wait_for_secondary_bus() neglects to hold a
reference on the child device. Before v6.3, the function was only
called on resume from system sleep or on runtime resume. Holding a
reference wasn’t necessary back then because the pciehp IRQ thread
could never run concurrently. (On resume from system sleep, IRQs are
not enabled until after the resume_noirq phase. And runtime resume is
always awaited before a PCI device is removed.)

However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
called on a DPC event. Commit 53b54ad074de (“PCI/DPC: Await readiness
of secondary bus after reset”), which introduced that, failed to
appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
reference on the child device because dpc_handler() and pciehp may
indeed run concurrently. The commit was backported to v5.10+ stable
kernels, so that’s the oldest one affected.

Add the missing reference acquisition.

Abridged stack trace:

BUG: unable to handle page fault for address: 00000000091400c0
CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
RIP: pci_bus_read_config_dword+0x17/0x50
pci_dev_wait()
pci_bridge_wait_for_secondary_bus()
dpc_reset_link()
pcie_do_recovery()
dpc_handler()

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/pci/pci.c"
    ],
    "versions": [
      {
        "version": "d0292124bb57",
        "lessThan": "c52f9e1a9eb4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ffe2318405e6",
        "lessThan": "2c111413f38c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "189f856e76f5",
        "lessThan": "f63df70b439b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "53b54ad074de",
        "lessThan": "2cc8973bdc4d",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "53b54ad074de",
        "lessThan": "b16f3ea1db47",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "53b54ad074de",
        "lessThan": "11a1f4bc4736",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/pci/pci.c"
    ],
    "versions": [
      {
        "version": "6.3",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.3",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.224",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.165",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.103",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.44",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.3",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

vulnrichment 1
ubuntucve 1
cbl_mariner 1
redhatcve 1
cve 1
nvd 1
osv 5
debiancve 1
nessus 6
photon 2
vulnrichment
vulnrichment
CVE-2024-42302 PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
2024-08-17 09:09:08
ubuntucve
ubuntucve
CVE-2024-42302
2024-08-17 00:00:00
cbl_mariner
cbl_mariner
CVE-2024-42302 affecting package kernel for versions less than 6.6.47.1-1
2024-08-25 15:13:42
redhatcve
redhatcve
CVE-2024-42302
2024-08-19 14:47:06
cve
cve
CVE-2024-42302
2024-08-17 09:15:10
nvd
nvd
CVE-2024-42302
2024-08-17 09:15:10
osv
osv
CVE-2024-42302
2024-08-17 09:15:10
Security update for the Linux Kernel
2024-09-11 15:39:03
Security update for the Linux Kernel
2024-09-10 08:46:37
debiancve
debiancve
CVE-2024-42302
2024-08-17 09:15:10
nessus
nessus
Photon OS 4.0: Linux PHSA-2024-4.0-0677
2024-09-06 00:00:00
Photon OS 5.0: Linux PHSA-2024-5.0-0359
2024-09-06 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:3190-1)
2024-09-11 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2024-4.0-0677
2024-08-28 00:00:00
Important Photon OS Security Update - PHSA-2024-5.0-0359
2024-08-28 00:00:00

EPSS

0

Percentile

5.0%

JSON
Related for CVELIST:CVE-2024-42302
vulnrichment1ubuntucve1cbl_mariner1redhatcve1cve1nvd1osv5debiancve1nessus6photon2