cvelistv5 - cve-2024-26813

Source	URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Vendor	Product
Linux	Linux
Linux	Linux

wid-sec-w-2024-0804

Vulnerability from csaf_certbund

Published

2024-04-04 22:00

Modified

2024-07-24 22:00

Summary

Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0804 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0804.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0804 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0804"
      },
      {
        "category": "external",
        "summary": "Linux CVE-Announcements vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26810 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040548-CVE-2024-26810-4371@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26812 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040550-CVE-2024-26812-1e08@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26813 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-26813-b9e8@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-26814 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-26814-b578@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux CVE-2024-27437 Announcement vom 2024-04-04",
        "url": "https://lore.kernel.org/linux-cve-announce/2024040551-CVE-2024-27437-cc07@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5681 vom 2024-05-06",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00090.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6816-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6816-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6817-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-2 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6817-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6817-3 vom 2024-06-14",
        "url": "https://ubuntu.com/security/notices/USN-6817-3"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3842 vom 2024-06-25",
        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6878-1 vom 2024-07-04",
        "url": "https://ubuntu.com/security/notices/USN-6878-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2360-1 vom 2024-07-09",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018907.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-1 vom 2024-07-12",
        "url": "https://ubuntu.com/security/notices/USN-6896-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-1 vom 2024-07-15",
        "url": "https://ubuntu.com/security/notices/USN-6898-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-2 vom 2024-07-16",
        "url": "https://ubuntu.com/security/notices/USN-6896-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-2 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6898-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-3 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6896-3"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2561-1 vom 2024-07-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019001.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-4 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6896-4"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-3 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6898-3"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2571-1 vom 2024-07-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019019.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-5 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6896-5"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-4 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6898-4"
      },
      {
        "category": "external",
        "summary": "SEM 2024.2.1 release notes vom 2024-07-23",
        "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2024-2-1_release_notes.htm"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4823 vom 2024-07-24",
        "url": "https://access.redhat.com/errata/RHSA-2024:4823"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4831 vom 2024-07-24",
        "url": "https://access.redhat.com/errata/RHSA-2024:4831"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2024-07-24T22:00:00.000+00:00",
      "generator": {
        "date": "2024-07-25T08:35:00.831+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0804",
      "initial_release_date": "2024-04-04T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-04-04T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-05-06T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-06-09T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-11T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-16T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-07-04T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-09T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-14T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-15T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-16T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-17T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-18T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-22T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-23T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2024-07-24T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "16"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.1.84",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.1.84",
                  "product_id": "T033936",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.1.84"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.6.24",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.6.24",
                  "product_id": "T033937",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.6.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.7.12",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.7.12",
                  "product_id": "T033938",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.7.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.8.3",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.8.3",
                  "product_id": "T033939",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.8.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.9-rc1",
                "product": {
                  "name": "Open Source Linux Kernel \u003c6.9-rc1",
                  "product_id": "T033940",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:linux:linux_kernel:6.9-rc1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Kernel"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2024.2",
                "product": {
                  "name": "SolarWinds Security Event Manager \u003c2024.2",
                  "product_id": "T034244",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:solarwinds:security_event_manager:2024.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Event Manager"
          }
        ],
        "category": "vendor",
        "name": "SolarWinds"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26810",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26810"
    },
    {
      "cve": "CVE-2024-26812",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26812"
    },
    {
      "cve": "CVE-2024-26813",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26813"
    },
    {
      "cve": "CVE-2024-26814",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-26814"
    },
    {
      "cve": "CVE-2024-27437",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel in den \"drivers/vfio\"-Komponenten. Sie werden durch Probleme bei der Behandlung von IRQ und ioctl sowie durch eine NULL-Zeiger-Dereferenz verursacht. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service-Zustand zu erzeugen und andere nicht spezifizierte Effekte zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T034244"
        ]
      },
      "release_date": "2024-04-04T22:00:00Z",
      "title": "CVE-2024-27437"
    }
  ]
}

ghsa-69h6-fpm9-fc3r

Vulnerability from github

Published

2024-04-05 09:30

Modified

2024-06-26 00:31

Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/platform: Create persistent IRQ handlers

The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference.

Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex.

In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate.

For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-26813"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T09:15:09Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it\u0027s guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.",
  "id": "GHSA-69h6-fpm9-fc3r",
  "modified": "2024-06-26T00:31:36Z",
  "published": "2024-04-05T09:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

gsd-2024-26813

Vulnerability from gsd

Modified

2024-02-20 06:02

Details

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index.

Aliases

CVE-2024-26813

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26813"
      ],
      "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it\u0027s guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.",
      "id": "GSD-2024-26813",
      "modified": "2024-02-20T06:02:29.135073Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@kernel.org",
        "ID": "CVE-2024-26813",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Linux",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "57f972e2b341",
                          "version_value": "07afdfd8a68f"
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "status": "affected",
                                "version": "4.1"
                              },
                              {
                                "lessThan": "4.1",
                                "status": "unaffected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.4.*",
                                "status": "unaffected",
                                "version": "5.4.274",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.10.*",
                                "status": "unaffected",
                                "version": "5.10.215",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "5.15.*",
                                "status": "unaffected",
                                "version": "5.15.154",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.1.*",
                                "status": "unaffected",
                                "version": "6.1.84",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.6.*",
                                "status": "unaffected",
                                "version": "6.6.24",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.7.*",
                                "status": "unaffected",
                                "version": "6.7.12",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.8.*",
                                "status": "unaffected",
                                "version": "6.8.3",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "*",
                                "status": "unaffected",
                                "version": "6.9-rc1",
                                "versionType": "original_commit_for_fix"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Linux"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it\u0027s guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index."
          }
        ]
      },
      "generator": {
        "engine": "bippy-d175d3acf727"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e"
          },
          {
            "name": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5"
          },
          {
            "name": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a"
          },
          {
            "name": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362"
          },
          {
            "name": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086"
          },
          {
            "name": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f"
          },
          {
            "name": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29"
          },
          {
            "name": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it\u0027s guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index."
          },
          {
            "lang": "es",
            "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/plataforma: cree controladores IRQ persistentes. La plataforma vfio SET_IRQS ioctl actualmente permite la activaci\u00f3n de bucle invertido de una interrupci\u00f3n antes de que el usuario haya configurado un evento de se\u00f1alizaci\u00f3n, lo que permite un puntero NULL. desreferencia. En lugar de registrar la IRQ relativa a un activador v\u00e1lido, registre todas las IRQ en estado deshabilitado en la ruta abierta del dispositivo. Esto permite que las operaciones de m\u00e1scara en la IRQ se aniden dentro del estado de habilitaci\u00f3n general gobernado por una se\u00f1al eventfd v\u00e1lida. Esto desacopla a @masked, protegido por el spinlock @locked de @trigger, protegido a trav\u00e9s del mutex @igate. Al hacerlo, se garantiza que los cambios en @trigger no puedan competir con los controladores IRQ porque el controlador IRQ se desactiva sincr\u00f3nicamente antes de modificar el disparador, y la activaci\u00f3n en bucle invertido de la IRQ a trav\u00e9s de ioctl es segura debido a la serializaci\u00f3n con cambios en el disparador a trav\u00e9s de igate. Por compatibilidad, las fallas de request_irq() se mantienen locales para el ioctl SET_IRQS en lugar de un error fatal en la ruta abierta del dispositivo. Esto permite, por ejemplo, que un controlador de espacio de usuario compatible con el modo de sondeo contin\u00fae funcionando independientemente de mover el sitio de llamada request_irq(). Esto necesariamente bloquea todo el acceso SET_IRQS al \u00edndice fallido."
          }
        ],
        "id": "CVE-2024-26813",
        "lastModified": "2024-04-13T12:15:11.633",
        "metrics": {},
        "published": "2024-04-05T09:15:09.340",
        "references": [
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f"
          }
        ],
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}

Action not permitted

cve-2024-26813

Vulnerability from cvelistv5

wid-sec-w-2024-0804

Vulnerability from csaf_certbund

ghsa-69h6-fpm9-fc3r

Vulnerability from github

gsd-2024-26813

Vulnerability from gsd

Tags