CVE-2024-27063

leds: trigger: netdev: Fix kernel panic on interface rename trig notify

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

leds: trigger: netdev: Fix kernel panic on interface rename trig notify

Commit d5e01266e7f5 ("leds: trigger: netdev: add additional specific link
speed mode") in the various changes, reworked the way to set the LINKUP
mode in commit cee4bd16c319 ("leds: trigger: netdev: Recheck
NETDEV_LED_MODE_LINKUP on dev rename") and moved it to a generic function.

This changed the logic where, in the previous implementation the dev
from the trigger event was used to check if the carrier was ok, but in
the new implementation with the generic function, the dev in
trigger_data is used instead.

This is problematic and cause a possible kernel panic due to the fact
that the dev in the trigger_data still reference the old one as the
new one (passed from the trigger event) still has to be hold and saved
in the trigger_data struct (done in the NETDEV_REGISTER case).

On calling of get_device_state(), an invalid net_dev is used and this
cause a kernel panic.

To handle this correctly, move the call to get_device_state() after the
new net_dev is correctly set in trigger_data (in the NETDEV_REGISTER
case) and correctly parse the new dev.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: leds: trigger: netdev: corrige el pánico del kernel al cambiar el nombre de la interfaz, notifica el trigono. Commit d5e01266e7f5 ("leds: trigger: netdev: agrega un modo de velocidad de enlace específico adicional") en los diversos cambios, reelaborados la forma de configurar el modo LINKUP en el commit cee4bd16c319 ("leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename") y lo moví a una función genérica. Esto cambió la lógica donde, en la implementación anterior, se usaba el desarrollo del evento desencadenante para verificar si el operador estaba bien, pero en la nueva implementación con la función genérica, se usa el desarrollo en trigger_data. Esto es problemático y causa un posible pánico en el kernel debido al hecho de que el desarrollador en trigger_data aún hace referencia al anterior, ya que el nuevo (pasado desde el evento desencadenante) aún debe retenerse y guardarse en la estructura trigger_data (hecho en el caso NETDEV_REGISTER). Al llamar a get_device_state(), se utiliza un net_dev no válido y esto provoca un pánico en el kernel. Para manejar esto correctamente, mueva la llamada a get_device_state() después de que el nuevo net_dev esté configurado correctamente en trigger_data (en el caso NETDEV_REGISTER) y analice correctamente el nuevo dev.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-02 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/d5e01266e7f5fa12400d4c8aa4e86fe89dcc61e9	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/10f2af1af8ab8a7064f193446abd5579d3def7e3	2024-04-03
https://git.kernel.org/stable/c/acd025c7a7d151261533016a6ca2d38f2de04e87	2024-04-03
https://git.kernel.org/stable/c/3f360227cb46edb2cd2494128e1e06ed5768a62e	2024-04-03
https://git.kernel.org/stable/c/415798bc07dd1c1ae3a656aa026580816e0b9fe8	2024-03-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.9"		en		Affected