CVE-2023-52617

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

A PCI device hot removal may occur while stdev->cdev is held open. The call
to stdev_release() then happens during close or exit, at a point way past
switchtec_pci_remove(). Otherwise the last ref would vanish with the
trailing put_device(), just before return.

At that later point in time, the devm cleanup has already removed the
stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
a fatal page fault, and the subsequent dma_free_coherent(), if reached,
would pass a stale &stdev->pdev->dev pointer.

Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
future accidents.

Reproducible via the script at
https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: switchtec: corrige el bloqueo de stdev_release() después de una eliminación sorpresa en caliente. Puede ocurrir una eliminación en caliente del dispositivo PCI mientras stdev->cdev se mantiene abierto. La llamada a stdev_release() ocurre durante el cierre o la salida, en un punto mucho más allá de switchtec_pci_remove(). De lo contrario, la última referencia desaparecería con el put_device() final, justo antes del retorno. En ese momento posterior, la limpieza devm ya eliminó la asignación stdev->mmio_mrpc. Además, la referencia stdev->pdev no se contaba. Por lo tanto, en modo DMA, iowrite32() en stdev_release() causará un error de página fatal, y el dma_free_coherent() posterior, si se alcanza, pasaría un puntero &stdev->pdev->dev obsoleto. Para solucionarlo, mueva el apagado de MRPC DMA a switchtec_pci_remove(), después de stdev_kill(). Contar stdev->pdev ref ahora es opcional, pero puede evitar accidentes futuros. Reproducible a través del script en https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

*Credits: N/A

CVSS Scores

CISAv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-06 CVE Reserved
2024-03-18 CVE Published
2024-03-19 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355	2024-02-23
https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c	2024-02-23
https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8	2024-02-23
https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a	2024-02-05
https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3	2024-02-05
https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693	2024-02-05
https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66	2023-11-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.269 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.269"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.77 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.77"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.16 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7.4 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8"		en		Affected