CVE-2024-42302
"Linux PCI DPC Use-After-Free Vulnerability"
Description
In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()
INFO
Published Date :
Aug. 17, 2024, 9:15 a.m.
Last Modified :
Aug. 22, 2024, 4:37 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
5.9
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-42302.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-42302 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-42302 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 22, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed No Types Assigned https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed Patch Changed Reference Type https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7 No Types Assigned https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7 Patch Changed Reference Type https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f No Types Assigned https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f Patch Changed Reference Type https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62 No Types Assigned https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62 Patch Changed Reference Type https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d No Types Assigned https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d Patch Changed Reference Type https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da No Types Assigned https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da Patch Added CWE NIST CWE-416 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 5.10.224 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.165 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.103 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.44 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.3 -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Aug. 19, 2024
Action Type Old Value New Value Added Reference kernel.org https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7 [No types assigned] -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Aug. 17, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler() Added Reference kernel.org https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-42302 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-42302
weaknesses.