CVE-2023-52771

cxl/port: Fix delete_endpoint() vs parent unregistration race

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix delete_endpoint() vs parent unregistration race

The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of
ports (struct cxl_port objects) between an endpoint and the root of a
CXL topology. Each port including the endpoint port is attached to the
cxl_port driver.

Given that setup, it follows that when either any port in that lineage
goes through a cxl_port ->remove() event, or the memdev goes through a
cxl_mem ->remove() event. The hierarchy below the removed port, or the
entire hierarchy if the memdev is removed needs to come down.

The delete_endpoint() callback is careful to check whether it is being
called to tear down the hierarchy, or if it is only being called to
teardown the memdev because an ancestor port is going through
->remove().

That care needs to take the device_lock() of the endpoint's parent.
Which requires 2 bugs to be fixed:

1/ A reference on the parent is needed to prevent use-after-free
scenarios like this signature:

BUG: spinlock bad magic on CPU#0, kworker/u56:0/11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023
Workqueue: cxl_port detach_memdev [cxl_core]
RIP: 0010:spin_bug+0x65/0xa0
Call Trace:
do_raw_spin_lock+0x69/0xa0
__mutex_lock+0x695/0xb80
delete_endpoint+0xad/0x150 [cxl_core]
devres_release_all+0xb8/0x110
device_unbind_cleanup+0xe/0x70
device_release_driver_internal+0x1d2/0x210
detach_memdev+0x15/0x20 [cxl_core]
process_one_work+0x1e3/0x4c0
worker_thread+0x1dd/0x3d0

2/ In the case of RCH topologies, the parent device that needs to be
locked is not always @port->dev as returned by cxl_mem_find_port(), use
endpoint->dev.parent instead.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxl/port: corrige delete_endpoint() frente a la ejecución de cancelación del registro principal. El subsistema CXL, en el momento cxl_mem ->probe(), establece un linaje de puertos (objetos struct cxl_port) entre un punto final y la raíz de una topología CXL. Cada puerto, incluido el puerto del punto final, está conectado al controlador cxl_port. Dada esa configuración, se deduce que cuando cualquier puerto en ese linaje pasa por un evento cxl_port ->remove(), o el memdev pasa por un evento cxl_mem ->remove(). La jerarquía debajo del puerto eliminado, o toda la jerarquía si se elimina el memdev, debe bajar. La devolución de llamada delete_endpoint() tiene cuidado de verificar si se llama para derribar la jerarquía o si solo se llama para derribar memdev porque un puerto ancestro está pasando por ->remove(). Ese cuidado debe tenerse en cuenta con el dispositivo_lock() del padre del punto final. Lo que requiere la corrección de 2 errores: 1/ Se necesita una referencia en el padre para evitar escenarios de use after free como esta firma: ERROR: spinlock bad magic en CPU#0, kworker/u56:0/11 Nombre del hardware: QEMU PC estándar (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 24/05/2023 Cola de trabajo: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Seguimiento de llamadas: do_raw_spin_lock+0x69/0xa0 5 /0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] proceso_one_work+0x1e3/0x4c0 _thread+0x1dd/0x3d0 2/ En el caso de RCH topologías, el dispositivo principal que debe bloquearse no siempre es @port->dev como lo devuelve cxl_mem_find_port(); utilice endpoint->dev.parent en su lugar.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-413: Improper Resource Locking

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/8dd2bc0f8e02d39bd80851ca787bcbdb7d495e69	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b	2023-11-28
https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa	2023-11-28
https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708	2023-10-28

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52771	2024-08-28
https://bugzilla.redhat.com/show_bug.cgi?id=2282720	2024-08-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.5.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.6.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.6.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.7"		en		Affected