CVE-2024-36002

dpll: fix dpll_pin_on_pin_register() for multiple parent pins

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

dpll: fix dpll_pin_on_pin_register() for multiple parent pins

In scenario where pin is registered with multiple parent pins via
dpll_pin_on_pin_register(..), all belonging to the same dpll device.
A second call to dpll_pin_on_pin_unregister(..) would cause a call trace,
as it tries to use already released registration resources (due to fix
introduced in b446631f355e). In this scenario pin was registered twice,
so resources are not yet expected to be release until each registered
pin/pin pair is unregistered.

Currently, the following crash/call trace is produced when ice driver is
removed on the system with installed E810T NIC which includes dpll device:

WARNING: CPU: 51 PID: 9155 at drivers/dpll/dpll_core.c:809 dpll_pin_ops+0x20/0x30
RIP: 0010:dpll_pin_ops+0x20/0x30
Call Trace:
? __warn+0x7f/0x130
? dpll_pin_ops+0x20/0x30
dpll_msg_add_pin_freq+0x37/0x1d0
dpll_cmd_pin_get_one+0x1c0/0x400
? __nlmsg_put+0x63/0x80
dpll_pin_event_send+0x93/0x140
dpll_pin_on_pin_unregister+0x3f/0x100
ice_dpll_deinit_pins+0xa1/0x230 [ice]
ice_remove+0xf1/0x210 [ice]

Fix by adding a parent pointer as a cookie when creating a registration,
also when searching for it. For the regular pins pass NULL, this allows to
create separated registration for each parent the pin is registered with.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: dpll: corrige dpll_pin_on_pin_register() para múltiples pines principales En un escenario donde el pin se registra con múltiples pines principales a través de dpll_pin_on_pin_register(..), todos pertenecientes al mismo dispositivo dpll. Una segunda llamada a dpll_pin_on_pin_unregister(..) provocaría un seguimiento de la llamada, ya que intenta utilizar recursos de registro ya liberados (debido a la solución introducida en b446631f355e). En este escenario, el pin se registró dos veces, por lo que aún no se espera que se liberen recursos hasta que se cancele el registro de cada pin/par de pines registrado. Actualmente, se produce el siguiente seguimiento de fallas/llamadas cuando se elimina el controlador Ice en el sistema con la NIC E810T instalada que incluye el dispositivo dpll: ADVERTENCIA: CPU: 51 PID: 9155 en drivers/dpll/dpll_core.c:809 dpll_pin_ops+0x20/0x30 RIP: 0010:dpll_pin_ops+0x20/0x30 Seguimiento de llamadas:? __warn+0x7f/0x130 ? dpll_pin_ops+0x20/0x30 dpll_msg_add_pin_freq+0x37/0x1d0 dpll_cmd_pin_get_one+0x1c0/0x400 ? __nlmsg_put+0x63/0x80 dpll_pin_event_send+0x93/0x140 dpll_pin_on_pin_unregister+0x3f/0x100 ice_dpll_deinit_pins+0xa1/0x230 [ice] ice_remove+0xf1/0x210 [ice] Se soluciona agregando un puntero principal como cookie al crear un registro. también al buscarlo . Para los pines normales pasan NULL, esto permite crear un registro separado para cada padre con el que está registrado el pin.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/b27e32e9367dac024cd6f61f22655714f483fd67	Vuln. Introduced
https://git.kernel.org/stable/c/769324eb35143462542cdb15483cdaf4877bf661	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f3e1cf62d18220a3aa97e084e7a3552debece9fc	2024-05-02
https://git.kernel.org/stable/c/38d7b94e81d068b8d8c8392f421cfd2c3bbfd1a6	2024-04-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8.2 < 6.8.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8.2 < 6.8.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.7.11 Search vendor "Linux" for product "Linux Kernel" and version "6.7.11"		en		Affected