Ubuntu.comUB:CVE-2024-26802CVE-2024-26802
In the Linux kernel, the following vulnerability has been resolved: stmmac:
Clear variable when destroying workqueue Currently when suspending driver
and stopping workqueue it is checked whether workqueue is not NULL and if
so, it is destroyed. Function destroy_workqueue() does drain queue and does
clear variable, but it does not set workqueue variable to NULL. This can
cause kernel/module panic if code attempts to clear workqueue that was not
initialized. This scenario is possible when resuming suspended driver in
stmmac_resume(), because there is no handling for failed stmmac_hw_setup(),
which can fail and return if DMA engine has failed to initialize, and
workqueue is initialized after DMA engine. Should DMA engine fail to
initialize, resume will proceed normally, but interface won’t work and TX
queue will eventually timeout, causing ‘Reset adapter’ error. This then
does destroy workqueue during reset process. And since workqueue is
initialized after DMA engine and can be skipped, it will cause
kernel/module panic. To secure against this possible crash, set workqueue
variable to NULL when destroying workqueue. Log/backtrace from crash goes
as follows: [88.031977]------------[ cut here ]------------
[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477
dev_watchdog+0x390/0x398 <Skipping backtrace for watchdog timeout>
[88.032251]—[ end trace e70de432e4d5c2c0 ]— [88.032282]sxgmac
16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here
]------------ [88.036519]Call trace: [88.036523]
flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160
[88.036533] destroy_workqueue+0x40/0x270 [88.036537]
stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280
[88.036546] __dev_close_many+0xcc/0x158 [88.036551]
dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0
[88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140
[88.036569] process_one_work+0x1d8/0x4a0 [88.036573]
worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583]
ret_from_fork+0x10/0x20 [88.036588]—[ end trace e70de432e4d5c2c1 ]—
[88.036597]Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000004
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1066.75 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-azure | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
References
git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6
git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3
git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f
git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462
git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
launchpad.net/bugs/cve/CVE-2024-26802
nvd.nist.gov/vuln/detail/CVE-2024-26802
security-tracker.debian.org/tracker/CVE-2024-26802
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2024-26802
Related
