CVE-2024-26813
vfio/platform: Create persistent IRQ handlers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
vfio/platform: Create persistent IRQ handlers
The vfio-platform SET_IRQS ioctl currently allows loopback triggering of
an interrupt before a signaling eventfd has been configured by the user,
which thereby allows a NULL pointer dereference.
Rather than register the IRQ relative to a valid trigger, register all
IRQs in a disabled state in the device open path. This allows mask
operations on the IRQ to nest within the overall enable state governed
by a valid eventfd signal. This decouples @masked, protected by the
@locked spinlock from @trigger, protected via the @igate mutex.
In doing so, it's guaranteed that changes to @trigger cannot race the
IRQ handlers because the IRQ handler is synchronously disabled before
modifying the trigger, and loopback triggering of the IRQ via ioctl is
safe due to serialization with trigger changes via igate.
For compatibility, request_irq() failures are maintained to be local to
the SET_IRQS ioctl rather than a fatal error in the open device path.
This allows, for example, a userspace driver with polling mode support
to continue to work regardless of moving the request_irq() call site.
This necessarily blocks all SET_IRQS access to the failed index.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/plataforma: cree controladores IRQ persistentes. La plataforma vfio SET_IRQS ioctl actualmente permite la activación de bucle invertido de una interrupción antes de que el usuario haya configurado un evento de señalización, lo que permite un puntero NULL. desreferencia. En lugar de registrar la IRQ relativa a un activador válido, registre todas las IRQ en estado deshabilitado en la ruta abierta del dispositivo. Esto permite que las operaciones de máscara en la IRQ se aniden dentro del estado de habilitación general gobernado por una señal eventfd válida. Esto desacopla a @masked, protegido por el spinlock @locked de @trigger, protegido a través del mutex @igate. Al hacerlo, se garantiza que los cambios en @trigger no puedan competir con los controladores IRQ porque el controlador IRQ se desactiva sincrónicamente antes de modificar el disparador, y la activación en bucle invertido de la IRQ a través de ioctl es segura debido a la serialización con cambios en el disparador a través de igate. Por compatibilidad, las fallas de request_irq() se mantienen locales para el ioctl SET_IRQS en lugar de un error fatal en la ruta abierta del dispositivo. Esto permite, por ejemplo, que un controlador de espacio de usuario compatible con el modo de sondeo continúe funcionando independientemente de mover el sitio de llamada request_irq(). Esto necesariamente bloquea todo el acceso SET_IRQS al índice fallido.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-04-05 CVE Published
- 2024-04-11 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/57f972e2b341dd6a73533f9293ec55d584a5d833 | Vuln. Introduced | |
| https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.274" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.215" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.15.154" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.1.84" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.6.24" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.7.12" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.8.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 6.9" | en |
Affected
| ||||||