cve-2023-52771
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2024-12-19 08:25
Summary
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver. Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down. The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove(). That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed: 1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature: BUG: spinlock bad magic on CPU#0, kworker/u56:0/11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 Workqueue: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Call Trace: do_raw_spin_lock+0x69/0xa0 __mutex_lock+0x695/0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] process_one_work+0x1e3/0x4c0 worker_thread+0x1dd/0x3d0 2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead.
Impacted products
Vendor Product Version
Linux Linux Version: 5.18
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52771",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:49:27.742644Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T21:33:44.767Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:35.152Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37179fcc916bce8c3cc7b36d67ef814cce55142b",
              "status": "affected",
              "version": "8dd2bc0f8e02d39bd80851ca787bcbdb7d495e69",
              "versionType": "git"
            },
            {
              "lessThan": "6b2e428e673b3f55965674a426c40922e91388aa",
              "status": "affected",
              "version": "8dd2bc0f8e02d39bd80851ca787bcbdb7d495e69",
              "versionType": "git"
            },
            {
              "lessThan": "8d2ad999ca3c64cb08cf6a58d227b9d9e746d708",
              "status": "affected",
              "version": "8dd2bc0f8e02d39bd80851ca787bcbdb7d495e69",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/port.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix delete_endpoint() vs parent unregistration race\n\nThe CXL subsystem, at cxl_mem -\u003eprobe() time, establishes a lineage of\nports (struct cxl_port objects) between an endpoint and the root of a\nCXL topology. Each port including the endpoint port is attached to the\ncxl_port driver.\n\nGiven that setup, it follows that when either any port in that lineage\ngoes through a cxl_port -\u003eremove() event, or the memdev goes through a\ncxl_mem -\u003eremove() event. The hierarchy below the removed port, or the\nentire hierarchy if the memdev is removed needs to come down.\n\nThe delete_endpoint() callback is careful to check whether it is being\ncalled to tear down the hierarchy, or if it is only being called to\nteardown the memdev because an ancestor port is going through\n-\u003eremove().\n\nThat care needs to take the device_lock() of the endpoint\u0027s parent.\nWhich requires 2 bugs to be fixed:\n\n1/ A reference on the parent is needed to prevent use-after-free\n   scenarios like this signature:\n\n    BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\n    Workqueue: cxl_port detach_memdev [cxl_core]\n    RIP: 0010:spin_bug+0x65/0xa0\n    Call Trace:\n      do_raw_spin_lock+0x69/0xa0\n     __mutex_lock+0x695/0xb80\n     delete_endpoint+0xad/0x150 [cxl_core]\n     devres_release_all+0xb8/0x110\n     device_unbind_cleanup+0xe/0x70\n     device_release_driver_internal+0x1d2/0x210\n     detach_memdev+0x15/0x20 [cxl_core]\n     process_one_work+0x1e3/0x4c0\n     worker_thread+0x1dd/0x3d0\n\n2/ In the case of RCH topologies, the parent device that needs to be\n   locked is not always @port-\u003edev as returned by cxl_mem_find_port(), use\n   endpoint-\u003edev.parent instead."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:25:29.147Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708"
        }
      ],
      "title": "cxl/port: Fix delete_endpoint() vs parent unregistration race",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52771",
    "datePublished": "2024-05-21T15:30:53.629Z",
    "dateReserved": "2024-05-21T15:19:24.239Z",
    "dateUpdated": "2024-12-19T08:25:29.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52771\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:16.323\",\"lastModified\":\"2024-11-21T08:40:33.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/port: Fix delete_endpoint() vs parent unregistration race\\n\\nThe CXL subsystem, at cxl_mem -\u003eprobe() time, establishes a lineage of\\nports (struct cxl_port objects) between an endpoint and the root of a\\nCXL topology. Each port including the endpoint port is attached to the\\ncxl_port driver.\\n\\nGiven that setup, it follows that when either any port in that lineage\\ngoes through a cxl_port -\u003eremove() event, or the memdev goes through a\\ncxl_mem -\u003eremove() event. The hierarchy below the removed port, or the\\nentire hierarchy if the memdev is removed needs to come down.\\n\\nThe delete_endpoint() callback is careful to check whether it is being\\ncalled to tear down the hierarchy, or if it is only being called to\\nteardown the memdev because an ancestor port is going through\\n-\u003eremove().\\n\\nThat care needs to take the device_lock() of the endpoint\u0027s parent.\\nWhich requires 2 bugs to be fixed:\\n\\n1/ A reference on the parent is needed to prevent use-after-free\\n   scenarios like this signature:\\n\\n    BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\\n    Workqueue: cxl_port detach_memdev [cxl_core]\\n    RIP: 0010:spin_bug+0x65/0xa0\\n    Call Trace:\\n      do_raw_spin_lock+0x69/0xa0\\n     __mutex_lock+0x695/0xb80\\n     delete_endpoint+0xad/0x150 [cxl_core]\\n     devres_release_all+0xb8/0x110\\n     device_unbind_cleanup+0xe/0x70\\n     device_release_driver_internal+0x1d2/0x210\\n     detach_memdev+0x15/0x20 [cxl_core]\\n     process_one_work+0x1e3/0x4c0\\n     worker_thread+0x1dd/0x3d0\\n\\n2/ In the case of RCH topologies, the parent device that needs to be\\n   locked is not always @port-\u003edev as returned by cxl_mem_find_port(), use\\n   endpoint-\u003edev.parent instead.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxl/port: corrige delete_endpoint() frente a la ejecuci\u00f3n de cancelaci\u00f3n del registro principal. El subsistema CXL, en el momento cxl_mem -\u0026gt;probe(), establece un linaje de puertos (objetos struct cxl_port) entre un punto final y la ra\u00edz de una topolog\u00eda CXL. Cada puerto, incluido el puerto del punto final, est\u00e1 conectado al controlador cxl_port. Dada esa configuraci\u00f3n, se deduce que cuando cualquier puerto en ese linaje pasa por un evento cxl_port -\u0026gt;remove(), o el memdev pasa por un evento cxl_mem -\u0026gt;remove(). La jerarqu\u00eda debajo del puerto eliminado, o toda la jerarqu\u00eda si se elimina el memdev, debe bajar. La devoluci\u00f3n de llamada delete_endpoint() tiene cuidado de verificar si se llama para derribar la jerarqu\u00eda o si solo se llama para derribar memdev porque un puerto ancestro est\u00e1 pasando por -\u0026gt;remove(). Ese cuidado debe tenerse en cuenta con el dispositivo_lock() del padre del punto final. Lo que requiere la correcci\u00f3n de 2 errores: 1/ Se necesita una referencia en el padre para evitar escenarios de use after free como esta firma: ERROR: spinlock bad magic en CPU#0, kworker/u56:0/11 Nombre del hardware: QEMU PC est\u00e1ndar (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 24/05/2023 Cola de trabajo: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Seguimiento de llamadas: do_raw_spin_lock+0x69/0xa0 5 /0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] proceso_one_work+0x1e3/0x4c0 _thread+0x1dd/0x3d0 2/ En el caso de RCH topolog\u00edas, el dispositivo principal que debe bloquearse no siempre es @port-\u0026gt;dev como lo devuelve cxl_mem_find_port(); utilice endpoint-\u0026gt;dev.parent en su lugar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.