// For flags

CVE-2024-26761

cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA.
That is, the host physical address (HPA) the HDM decoder registers are
programmed with are system physical addresses (SPA). During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,
8.1.3.8) are checked if the memory is enabled and the CXL range is in
a HPA window that is described in a CFMWS structure of the CXL host
bridge (cxl-3.1, 9.18.1.3). Now, if the HPA is not an SPA, the CXL range does not match a CFMWS
window and the CXL memory range will be disabled then. The HDM decoder
stops working which causes system memory being disabled and further a
system hang during HDM decoder initialization, typically when a CXL
enabled kernel boots. Prevent a system hang and do not disable the HDM decoder if the
decoder's CXL range is not found in a CFMWS window. Note the change only fixes a hardware hang, but does not implement
HPA/SPA translation. Support for this can be added in a follow on
patch series.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cxl/pci: corrige la desactivación de la memoria si el rango DVSEC CXL no coincide con una ventana CFMWS. El subSYSTEM Linux CXL se basa en el supuesto de que HPA == SPA. Es decir, la dirección física del host (HPA) con la que están programados los registros del decodificador HDM son direcciones físicas del SYSTEM (SPA). Durante la configuración del decodificador HDM, los registros de rango DVSEC CXL (cxl-3.1, 8.1.3.8) se verifican si la memoria está habilitada y el rango CXL está en una ventana HPA que se describe en una estructura CFMWS del puente de host CXL (cxl- 3.1, 9.18.1.3). Ahora, si el HPA no es un SPA, el rango CXL no coincide con una ventana CFMWS y el rango de memoria CXL se desactivará en ese momento. El descodificador HDM deja de funcionar, lo que provoca que la memoria del SYSTEM se desactive y, además, el SYSTEM se cuelgue durante la inicialización del descodificador HDM, normalmente cuando se inicia un kernel habilitado para CXL. Evite que el SYSTEM se cuelgue y no desactive el decodificador HDM si el rango CXL del decodificador no se encuentra en una ventana CFMWS. Tenga en cuenta que el cambio solo soluciona un problema de hardware, pero no implementa la traducción HPA/SPA. Se puede agregar soporte para esto en una serie de parches de seguimiento.

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA. That is, the host physical address (HPA) the HDM decoder registers are programmed with are system physical addresses (SPA). During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1, 8.1.3.8) are checked if the memory is enabled and the CXL range is in a HPA window that is described in a CFMWS structure of the CXL host bridge (cxl-3.1, 9.18.1.3). Now, if the HPA is not an SPA, the CXL range does not match a CFMWS window and the CXL memory range will be disabled then. The HDM decoder stops working which causes system memory being disabled and further a system hang during HDM decoder initialization, typically when a CXL enabled kernel boots. Prevent a system hang and do not disable the HDM decoder if the decoder's CXL range is not found in a CFMWS window. Note the change only fixes a hardware hang, but does not implement HPA/SPA translation. Support for this can be added in a follow on patch series.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-03 CVE Published
  • 2024-04-04 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.19 < 6.1.80
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.1.80"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.19 < 6.6.19
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.6.19"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.19 < 6.7.7
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.7.7"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.19 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.8"
en
Affected