cvelistv5 - cve-2024-26812

Source	URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Vendor	Product
Linux	Linux
Linux	Linux

ghsa-p8g6-7v7w-4whg

Vulnerability from github

Published

2024-04-05 09:30

Modified

2024-06-26 00:31

Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Create persistent INTx handler

A vulnerability exists where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET_IRQS ioctl or through unmask irqfd if the device interrupt is pending.

Ideally this could be solved with some additional locking; the igate mutex serializes the ioctl and config space accesses, and the interrupt handler is unregistered relative to the trigger, but the irqfd path runs asynchronous to those. The igate mutex cannot be acquired from the atomic context of the eventfd wake function. Disabling the irqfd relative to the eventfd registration is potentially incompatible with existing userspace.

As a result, the solution implemented here moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq_type configuration, rather than registration of a particular trigger eventfd. Synchronization is added between the ioctl path and eventfd_signal() wrapper such that the eventfd trigger can be dynamically updated relative to in-flight interrupts or irqfd callbacks.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-26812"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T09:15:09Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.",
  "id": "GHSA-p8g6-7v7w-4whg",
  "modified": "2024-06-26T00:31:36Z",
  "published": "2024-04-05T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

wid-sec-w-2024-0804

Vulnerability from csaf_certbund

Published

2024-04-04 22:00

Modified

2024-07-24 22:00

Summary

Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0804 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0804.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0804 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0804"
      },
      {
        "category": "external",
        "summary": "Linux CVE-Announcements vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26810 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040548-CVE-2024-26810-4371@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26812 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040550-CVE-2024-26812-1e08@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26813 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-26813-b9e8@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26814 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-26814-b578@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-27437 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-27437-cc07@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5681 vom 2024-05-06",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00090.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6816-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6816-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6817-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-2 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6817-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-3 vom 2024-06-14",
        "url": "https://ubuntu.com/security/notices/USN-6817-3"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3842 vom 2024-06-25",
        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6878-1 vom 2024-07-04",
        "url": "https://ubuntu.com/security/notices/USN-6878-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2360-1 vom 2024-07-09",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018907.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-1 vom 2024-07-12",
        "url": "https://ubuntu.com/security/notices/USN-6896-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-1 vom 2024-07-15",
        "url": "https://ubuntu.com/security/notices/USN-6898-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-2 vom 2024-07-16",
        "url": "https://ubuntu.com/security/notices/USN-6896-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-2 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6898-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-3 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6896-3"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2561-1 vom 2024-07-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019001.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-4 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6896-4"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-3 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6898-3"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2571-1 vom 2024-07-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019019.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-5 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6896-5"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-4 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6898-4"
      },
      {
        "category": "external",
        "summary": "SEM 2024.2.1 release notes vom 2024-07-23",
        "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2024-2-1_release_notes.htm"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4823 vom 2024-07-24",
        "url": "https://access.redhat.com/errata/RHSA-2024:4823"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4831 vom 2024-07-24",
        "url": "https://access.redhat.com/errata/RHSA-2024:4831"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2024-07-24T22:00:00.000+00:00",
      "generator": {
        "date": "2024-07-25T08:35:00.831+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0804",
      "initial_release_date": "2024-04-04T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-04-04T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-05-06T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-06-09T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-11T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-16T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-07-04T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-09T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-14T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-15T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-16T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-17T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-18T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-22T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-23T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2024-07-24T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "16"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.1.84",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.1.84",
                  "product_id": "T033936",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.1.84"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.6.24",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.6.24",
                  "product_id": "T033937",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.6.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.7.12",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.7.12",
                  "product_id": "T033938",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.7.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.8.3",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.8.3",
                  "product_id": "T033939",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.8.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.9-rc1",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.9-rc1",
                  "product_id": "T033940",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.9-rc1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Kernel"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2024.2",
                "product": {
                  "name": "SolarWinds Security Event Manager \u003c2024.2",
                  "product_id": "T034244",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:solarwinds:security_event_manager:2024.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Event Manager"
          }
        ],
        "category": "vendor",
        "name": "SolarWinds"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26810",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26810"
    },
    {
      "cve": "CVE-2024-26812",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26812"
    },
    {
      "cve": "CVE-2024-26813",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26813"
    },
    {
      "cve": "CVE-2024-26814",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26814"
    },
    {
      "cve": "CVE-2024-27437",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-27437"
    }
  ]
}

gsd-2024-26812

Vulnerability from gsd

Modified

2024-02-20 06:02

Details

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Create persistent INTx handler A vulnerability exists where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET_IRQS ioctl or through unmask irqfd if the device interrupt is pending. Ideally this could be solved with some additional locking; the igate mutex serializes the ioctl and config space accesses, and the interrupt handler is unregistered relative to the trigger, but the irqfd path runs asynchronous to those. The igate mutex cannot be acquired from the atomic context of the eventfd wake function. Disabling the irqfd relative to the eventfd registration is potentially incompatible with existing userspace. As a result, the solution implemented here moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq_type configuration, rather than registration of a particular trigger eventfd. Synchronization is added between the ioctl path and eventfd_signal() wrapper such that the eventfd trigger can be dynamically updated relative to in-flight interrupts or irqfd callbacks.

Aliases

CVE-2024-26812

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26812"
      ],
      "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.",
      "id": "GSD-2024-26812",
      "modified": "2024-02-20T06:02:29.183082Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@kernel.org",
        "ID": "CVE-2024-26812",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Linux",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "89e1f7d4c66d",
                          "version_value": "b18fa894d615"
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "status": "affected",
                                "version": "3.6"
                              },
                              {
                                "lessThan": "3.6",
                                "status": "unaffected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.4.*",
                                "status": "unaffected",
                                "version": "5.4.274",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.10.*",
                                "status": "unaffected",
                                "version": "5.10.215",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.15.*",
                                "status": "unaffected",
                                "version": "5.15.154",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.1.*",
                                "status": "unaffected",
                                "version": "6.1.84",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.6.*",
                                "status": "unaffected",
                                "version": "6.6.24",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.7.*",
                                "status": "unaffected",
                                "version": "6.7.12",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.8.*",
                                "status": "unaffected",
                                "version": "6.8.3",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "*",
                                "status": "unaffected",
                                "version": "6.9-rc1",
                                "versionType": "original_commit_for_fix"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Linux"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks."
          }
        ]
      },
      "generator": {
        "engine": "bippy-d175d3acf727"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899"
          },
          {
            "name": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897"
          },
          {
            "name": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c"
          },
          {
            "name": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3"
          },
          {
            "name": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e"
          },
          {
            "name": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834"
          },
          {
            "name": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034"
          },
          {
            "name": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks."
          },
          {
            "lang": "es",
            "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/pci: crear un controlador INTx persistente Existe una vulnerabilidad donde se puede desconfigurar el eventfd para la se\u00f1alizaci\u00f3n INTx, lo que anula el registro del controlador IRQ pero a\u00fan permite que los eventfds se se\u00f1alen con un contexto NULL a trav\u00e9s de el SET_IRQS ioctl o mediante unmask irqfd si la interrupci\u00f3n del dispositivo est\u00e1 pendiente. Idealmente, esto podr\u00eda solucionarse con alg\u00fan bloqueo adicional; el igate mutex serializa los accesos al espacio ioctl y de configuraci\u00f3n, y el controlador de interrupciones no est\u00e1 registrado en relaci\u00f3n con el disparador, pero la ruta irqfd se ejecuta de forma asincr\u00f3nica con respecto a ellos. El mutex igate no se puede adquirir desde el contexto at\u00f3mico de la funci\u00f3n de activaci\u00f3n eventfd. Deshabilitar el irqfd en relaci\u00f3n con el registro de eventfd es potencialmente incompatible con el espacio de usuario existente. Como resultado, la soluci\u00f3n implementada aqu\u00ed mueve la configuraci\u00f3n del controlador de interrupciones INTx para rastrear la vida \u00fatil del objeto de contexto INTx y la configuraci\u00f3n irq_type, en lugar del registro de un evento desencadenante particular. Se agrega sincronizaci\u00f3n entre la ruta ioctl y el contenedor eventfd_signal() de modo que el disparador eventfd se pueda actualizar din\u00e1micamente en relaci\u00f3n con las interrupciones en curso o las devoluciones de llamada irqfd."
          }
        ],
        "id": "CVE-2024-26812",
        "lastModified": "2024-04-13T12:15:11.580",
        "metrics": {},
        "published": "2024-04-05T09:15:09.283",
        "references": [
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899"
          }
        ],
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}

Action not permitted

cve-2024-26812

Vulnerability from cvelistv5

ghsa-p8g6-7v7w-4whg

Vulnerability from github

wid-sec-w-2024-0804

Vulnerability from csaf_certbund

gsd-2024-26812

Vulnerability from gsd

Tags