CVE-2024-26812

vfio/pci: Create persistent INTx handler

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Create persistent INTx handler

A vulnerability exists where the eventfd for INTx signaling can be
deconfigured, which unregisters the IRQ handler but still allows
eventfds to be signaled with a NULL context through the SET_IRQS ioctl
or through unmask irqfd if the device interrupt is pending.

Ideally this could be solved with some additional locking; the igate
mutex serializes the ioctl and config space accesses, and the interrupt
handler is unregistered relative to the trigger, but the irqfd path
runs asynchronous to those. The igate mutex cannot be acquired from the
atomic context of the eventfd wake function. Disabling the irqfd
relative to the eventfd registration is potentially incompatible with
existing userspace.

As a result, the solution implemented here moves configuration of the
INTx interrupt handler to track the lifetime of the INTx context object
and irq_type configuration, rather than registration of a particular
trigger eventfd. Synchronization is added between the ioctl path and
eventfd_signal() wrapper such that the eventfd trigger can be
dynamically updated relative to in-flight interrupts or irqfd callbacks.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/pci: crear un controlador INTx persistente Existe una vulnerabilidad donde se puede desconfigurar el eventfd para la señalización INTx, lo que anula el registro del controlador IRQ pero aún permite que los eventfds se señalen con un contexto NULL a través de el SET_IRQS ioctl o mediante unmask irqfd si la interrupción del dispositivo está pendiente. Idealmente, esto podría solucionarse con algún bloqueo adicional; el igate mutex serializa los accesos al espacio ioctl y de configuración, y el controlador de interrupciones no está registrado en relación con el disparador, pero la ruta irqfd se ejecuta de forma asincrónica con respecto a ellos. El mutex igate no se puede adquirir desde el contexto atómico de la función de activación eventfd. Deshabilitar el irqfd en relación con el registro de eventfd es potencialmente incompatible con el espacio de usuario existente. Como resultado, la solución implementada aquí mueve la configuración del controlador de interrupciones INTx para rastrear la vida útil del objeto de contexto INTx y la configuración irq_type, en lugar del registro de un evento desencadenante particular. Se agrega sincronización entre la ruta ioctl y el contenedor eventfd_signal() de modo que el disparador eventfd se pueda actualizar dinámicamente en relación con las interrupciones en curso o las devoluciones de llamada irqfd.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-05 CVE Published
2024-04-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/89e1f7d4c66d85f42c3d52ea3866eb10cadf6153	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899	2024-04-13
https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897	2024-04-13
https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c	2024-04-10
https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3	2024-04-03
https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e	2024-04-03
https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834	2024-04-03
https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034	2024-04-03
https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d	2024-03-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.6 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.6 < 6.9"		en		Affected