CVE-2024-26802

stmmac: Clear variable when destroying workqueue

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

stmmac: Clear variable when destroying workqueue

Currently when suspending driver and stopping workqueue it is checked whether
workqueue is not NULL and if so, it is destroyed.
Function destroy_workqueue() does drain queue and does clear variable, but
it does not set workqueue variable to NULL. This can cause kernel/module
panic if code attempts to clear workqueue that was not initialized.

This scenario is possible when resuming suspended driver in stmmac_resume(),
because there is no handling for failed stmmac_hw_setup(),
which can fail and return if DMA engine has failed to initialize,
and workqueue is initialized after DMA engine.
Should DMA engine fail to initialize, resume will proceed normally,
but interface won't work and TX queue will eventually timeout,
causing 'Reset adapter' error.
This then does destroy workqueue during reset process.
And since workqueue is initialized after DMA engine and can be skipped,
it will cause kernel/module panic.

To secure against this possible crash, set workqueue variable to NULL when
destroying workqueue.

Log/backtrace from crash goes as follows:
[88.031977]------------[ cut here ]------------
[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398
<Skipping backtrace for watchdog timeout>
[88.032251]---[ end trace e70de432e4d5c2c0 ]---
[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.
[88.036359]------------[ cut here ]------------
[88.036519]Call trace:
[88.036523] flush_workqueue+0x3e4/0x430
[88.036528] drain_workqueue+0xc4/0x160
[88.036533] destroy_workqueue+0x40/0x270
[88.036537] stmmac_fpe_stop_wq+0x4c/0x70
[88.036541] stmmac_release+0x278/0x280
[88.036546] __dev_close_many+0xcc/0x158
[88.036551] dev_close_many+0xbc/0x190
[88.036555] dev_close.part.0+0x70/0xc0
[88.036560] dev_close+0x24/0x30
[88.036564] stmmac_service_task+0x110/0x140
[88.036569] process_one_work+0x1d8/0x4a0
[88.036573] worker_thread+0x54/0x408
[88.036578] kthread+0x164/0x170
[88.036583] ret_from_fork+0x10/0x20
[88.036588]---[ end trace e70de432e4d5c2c1 ]---
[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: stmmac: Borrar variable al destruir la cola de trabajo Actualmente, al suspender el controlador y detener la cola de trabajo, se verifica si la cola de trabajo no es NULL y, de ser así, se destruye. La función destroy_workqueue() drena la cola y borra la variable, pero no establece la variable de la cola de trabajo en NULL. Esto puede causar pánico en el núcleo/módulo si el código intenta borrar la cola de trabajo que no se inicializó. Este escenario es posible al reanudar el controlador suspendido en stmmac_resume(), porque no hay control para stmmac_hw_setup() fallido, que puede fallar y regresar si el motor DMA no se pudo inicializar y la cola de trabajo se inicializa después del motor DMA. Si el motor DMA no se inicializa, la reanudación se realizará normalmente, pero la interfaz no funcionará y la cola de TX eventualmente expirará, lo que provocará el error "Restablecer adaptador". Esto luego destruye la cola de trabajo durante el proceso de reinicio. Y dado que la cola de trabajo se inicializa después del motor DMA y se puede omitir, provocará pánico en el núcleo/módulo. Para protegerse contra este posible bloqueo, establezca la variable workqueue en NULL al destruir workqueue. El registro/rastreo del fallo es el siguiente: [88.031977]------------[ cortar aquí ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac) : Se agotó el tiempo de espera de la cola de transmisión 1 [88.032017] ADVERTENCIA: CPU: 0 PID: 0 en net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 [88.032251]---[fin de rastreo e70de432e4d5c2c0] --- [88.032282]sxgmac 16d88000.ethernet eth0: Restablecer el adaptador. [88.036359]------------[ cortar aquí ]------------ [88.036519]Rastreo de llamadas: [88.036523] Flush_workqueue+0x3e4/0x430 [88.036528] Drain_workqueue+ 0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0 x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part. 0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] Process_one_work+0x1d8/0x4a0 [88.036573] trabajador_thread+0x54/0x408 [8 8.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+ 0x10/0x20 [88.036588]---[fin de seguimiento e70de432e4d5c2c1]--- [88.036597]No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000004

A vulnerability was found in the `stmmac` ethernet driver of the Linux kernel, where a workqueue variable was not cleared after being destroyed. This issue could lead to kernel panics if the code later attempted to access or destroy the already-freed workqueue.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-04-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/5a5586112b929546e16029261a987c9197bfdfa2	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462	2024-03-06
https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6	2024-03-06
https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3	2024-03-06
https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8	2024-03-06
https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f	2024-02-28

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26802	2024-08-08
https://bugzilla.redhat.com/show_bug.cgi?id=2273427	2024-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15.151 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.151"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 6.1.81 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 6.1.81"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 6.8"		en		Affected