CVE-2024-58093

PCI/ASPM: Fix link state exit during switch upstream function removal

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to
avoid use-after-free"), we would free the ASPM link only after the last
function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function,
link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function
removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream
port, then removing functions other than 0 first would free a link which
still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because
pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus.
Free exactly when function 0 is removed -- before the parent link is
obsolete, but after all subordinate links are gone. [kwilczynski: commit log]

In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-03-06 CVE Reserved
2025-04-16 CVE Published
2025-04-16 CVE Updated
2025-04-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/456d8aa37d0f56fc9e985e812496e861dcd6f2f2	Vuln. Introduced
https://git.kernel.org/stable/c/666e7f9d60cee23077ea3e6331f6f8a19f7ea03f	Vuln. Introduced
https://git.kernel.org/stable/c/7badf4d6f49a358a01ab072bbff88d3ee886c33b	Vuln. Introduced
https://git.kernel.org/stable/c/9856c0de49052174ab474113f4ba40c02aaee086	Vuln. Introduced
https://git.kernel.org/stable/c/7aecdd47910c51707696e8b0e045b9f88bd4230f	Vuln. Introduced
https://git.kernel.org/stable/c/d51d2eeae4ce54d542909c4d9d07bf371a78592c	Vuln. Introduced
https://git.kernel.org/stable/c/4203722d51afe3d239e03f15cc73efdf023a7103	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/cbf937dcadfd571a434f8074d057b32cd14fbea5	2025-02-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.15-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.15-rc1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.251 Search vendor "Linux" for product "Linux Kernel" and version "5.4.251"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.188 Search vendor "Linux" for product "Linux Kernel" and version "5.10.188"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.121 Search vendor "Linux" for product "Linux Kernel" and version "5.15.121"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.1.39 Search vendor "Linux" for product "Linux Kernel" and version "6.1.39"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.3.13 Search vendor "Linux" for product "Linux Kernel" and version "6.3.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.4 Search vendor "Linux" for product "Linux Kernel" and version "6.4.4"		en		Affected