// For flags

CVE-2024-26854

ice: fix uninitialized dplls mutex usage

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ice: fix uninitialized dplls mutex usage

The pf->dplls.lock mutex is initialized too late, after its first use.
Move it to the top of ice_dpll_init.
Note that the "err_exit" error path destroys the mutex. And the mutex is
the last thing destroyed in ice_dpll_deinit.
This fixes the following warning with CONFIG_DEBUG_MUTEXES:

ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0
ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)
ice 0000:10:00.0: PTP init successful
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40
Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>
CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3
Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023
Workqueue: events work_for_cpu_fn
RIP: 0010:__mutex_lock+0x773/0xd40
Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>
RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff
RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff
R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8
FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __warn+0x84/0x170
? __mutex_lock+0x773/0xd40
? report_bug+0x1c7/0x1d0
? prb_read_valid+0x1b/0x30
? handle_bug+0x42/0x70
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? __mutex_lock+0x773/0xd40
? rcu_is_watching+0x11/0x50
? __kmalloc_node_track_caller+0x346/0x490
? ice_dpll_lock_status_get+0x28/0x50 [ice]
? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]
? ice_dpll_lock_status_get+0x28/0x50 [ice]
ice_dpll_lock_status_get+0x28/0x50 [ice]
dpll_device_get_one+0x14f/0x2e0
dpll_device_event_send+0x7d/0x150
dpll_device_register+0x124/0x180
ice_dpll_init_dpll+0x7b/0xd0 [ice]
ice_dpll_init+0x224/0xa40 [ice]
? _dev_info+0x70/0x90
ice_load+0x468/0x690 [ice]
ice_probe+0x75b/0xa10 [ice]
? _raw_spin_unlock_irqrestore+0x4f/0x80
? process_one_work+0x1a3/0x500
local_pci_probe+0x47/0xa0
work_for_cpu_fn+0x17/0x30
process_one_work+0x20d/0x500
worker_thread+0x1df/0x3e0
? __pfx_worker_thread+0x10/0x10
kthread+0x103/0x140
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
irq event stamp: 125197
hardirqs last enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0
hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0
softirqs last enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
---[ end trace 0000000000000000 ]---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: corrige el uso del mutex dplls no inicializado El mutex pf-&gt;dplls.lock se inicializa demasiado tarde, después de su primer uso. Muévalo a la parte superior de ice_dpll_init. Tenga en cuenta que la ruta de error "err_exit" destruye el mutex. Y el mutex es lo último que se destruye en ice_dpll_deinit. Esto corrige la siguiente advertencia con CONFIG_DEBUG_MUTEXES: ice 0000:10:00.0: El paquete DDP se cargó correctamente: Paquete predeterminado de ICE OS versión 1.3.36.0 ice 0000:10:00.0: Ancho de banda PCIe disponible de 252,048 Gb/s (PCIe de 16,0 GT/s enlace x16) ice 0000:10:00.0: inicio de PTP exitoso ------------[ cortar aquí ]------------ DEBUG_LOCKS_WARN_ON(lock-&gt;magic != lock ) Advertencia: CPU: 0 PID: 410 AT KERNEL/Locking/Mutex.C: 587 __mutex_lock+0x773/0xd40 Módulos vinculados en: CRCT10DIF_PCLMUL CRC32_PCLMUL CRC32C_Tel Polyval_clmulni Polyval_Gener KWorker/ 0:4 No contaminado 6.8.0-rc5+ #3 Nombre del hardware: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 19/10/2023 Cola de trabajo: eventos work_for_cpu_fn RIP: 0010:__mutex_lock+0x773/0xd40 Código: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a&gt; RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: X: 0000000000000000 RBX: 0000000000000002 RCX : 0000000000000000 RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffb fff R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8 FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) KNLGS: 00000000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000000080050033 CR2: 000055B5852CC000 00 DR3: 000000000000000000 DR6: 0000000000FFFE0FF0 DR7: 000000000000000400 PKRU: 555555554 Trace de llamadas: ? __advertir+0x84/0x170 ? __mutex_lock+0x773/0xd40? report_bug+0x1c7/0x1d0? prb_read_valid+0x1b/0x30? handle_bug+0x42/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? __mutex_lock+0x773/0xd40? rcu_is_watching+0x11/0x50? __kmalloc_node_track_caller+0x346/0x490 ? ice_dpll_lock_status_get+0x28/0x50 [hielo]? __pfx_ice_dpll_lock_status_get+0x10/0x10 [hielo]? ice_dpll_lock_status_get+0x28/0x50 [ice] ice_dpll_lock_status_get+0x28/0x50 [ice] dpll_device_get_one+0x14f/0x2e0 dpll_device_event_send+0x7d/0x150 dpll_device_register+0x124/0x180 init_dpll+0x7b/0xd0 [hielo] ice_dpll_init+0x224/0xa40 [hielo] ? _dev_info+0x70/0x90 ice_load+0x468/0x690 [hielo] ice_probe+0x75b/0xa10 [hielo] ? _raw_spin_unlock_irqrestore+0x4f/0x80 ? Process_one_work+0x1a3/0x500 local_pci_probe+0x47/0xa0 work_for_cpu_fn+0x17/0x30 Process_one_work+0x20d/0x500 trabajador_thread+0x1df/0x3e0 ? __pfx_worker_thread+0x10/0x10 kthread+0x103/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 sello de evento irq: 125197 hardirqs habilitado por última vez en (125197): [] Finish_task_switch.isra.0+0x12d/0x3d0 hardirqs deshabilitado por última vez en (1251 96): [ ] __schedule+0xea4/0x19f0 softirqs habilitado por última vez en (105334): [] napi_get_frags_check+0x1a/0x60 softirqs deshabilitado por última vez en (105332): [] x1a/0x60 ---[ fin traza 0000000000000000 ]---

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-17 CVE Published
  • 2024-04-18 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.7 < 6.7.10
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.10"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.7 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8"
en
Affected