CVE-2024-42302
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
Keith reports a use-after-free when a DPC event occurs concurrently to
hot-removal of the same portion of the hierarchy:
The dpc_handler() awaits readiness of the secondary bus below the
Downstream Port where the DPC event occurred. To do so, it polls the
config space of the first child device on the secondary bus. If that
child device is concurrently removed, accesses to its struct pci_dev
cause the kernel to oops.
That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
reference on the child device. Before v6.3, the function was only
called on resume from system sleep or on runtime resume. Holding a
reference wasn't necessary back then because the pciehp IRQ thread
could never run concurrently. (On resume from system sleep, IRQs are
not enabled until after the resume_noirq phase. And runtime resume is
always awaited before a PCI device is removed.)
However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness
of secondary bus after reset"), which introduced that, failed to
appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
reference on the child device because dpc_handler() and pciehp may
indeed run concurrently. The commit was backported to v5.10+ stable
kernels, so that's the oldest one affected.
Add the missing reference acquisition.
Abridged stack trace:
BUG: unable to handle page fault for address: 00000000091400c0
CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
RIP: pci_bus_read_config_dword+0x17/0x50
pci_dev_wait()
pci_bridge_wait_for_secondary_bus()
dpc_reset_link()
pcie_do_recovery()
dpc_handler()
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-07-30 CVE Reserved
- 2024-08-17 CVE Published
- 2024-08-23 EPSS Updated
- 2024-11-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/d0292124bb5787a2f1ab1316509e801ca89c10fb | Vuln. Introduced | |
https://git.kernel.org/stable/c/ffe2318405e605f1b3985ce188eff69e6d1d1baa | Vuln. Introduced | |
https://git.kernel.org/stable/c/189f856e76f5463f59efb5fc18dcc1692d04c41a | Vuln. Introduced | |
https://git.kernel.org/stable/c/53b54ad074de1896f8b021615f65b27f557ce874 | Vuln. Introduced | |
https://git.kernel.org/stable/c/0081032082b5b45ca902b3c3d6986cb5cca69ff2 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10.176 < 5.10.224 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.176 < 5.10.224" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15.104 < 5.15.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.104 < 5.15.165" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.16 < 6.1.103 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.16 < 6.1.103" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.6.44 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.44" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.10.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.10.3" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.11" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2.3 Search vendor "Linux" for product "Linux Kernel" and version "6.2.3" | en |
Affected
|