cve-2024-26847
Vulnerability from cvelistv5
Published
2024-04-17 10:14
Modified
2024-12-19 08:48
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: use correct function name for resetting TCE tables The PAPR spec spells the function name as "ibm,reset-pe-dma-windows" but in practice firmware uses the singular form: "ibm,reset-pe-dma-window" in the device tree. Since we have the wrong spelling in the RTAS function table, reverse lookups (token -> name) fail and warn: unexpected failed lookup for token 86 WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4 CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30 Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4 LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4 Call Trace: __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable) rtas_call+0x1f8/0x3e0 enable_ddw.constprop.0+0x4d0/0xc84 dma_iommu_dma_supported+0xe8/0x24c dma_set_mask+0x5c/0xd8 mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core] probe_one+0xfc/0x32c [mlx5_core] local_pci_probe+0x68/0x12c pci_call_probe+0x68/0x1ec pci_device_probe+0xbc/0x1a8 really_probe+0x104/0x570 __driver_probe_device+0xb8/0x224 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x120 driver_attach+0x34/0x48 bus_add_driver+0x174/0x304 driver_register+0x8c/0x1c4 __pci_register_driver+0x68/0x7c mlx5_init+0xb8/0x118 [mlx5_core] do_one_initcall+0x60/0x388 do_init_module+0x7c/0x2a4 init_module_from_file+0xb4/0x108 idempotent_init_module+0x184/0x34c sys_finit_module+0x90/0x114 And oopses are possible when lockdep is enabled or the RTAS tracepoints are active, since those paths dereference the result of the lookup. Use the correct spelling to match firmware's behavior, adjusting the related constants to match.
Impacted products
Vendor Product Version
Linux Linux Version: 6.3
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T17:34:17.361850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-01T14:59:26.567Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.646Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/include/asm/rtas.h",
            "arch/powerpc/kernel/rtas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6b6282d56b14879124416a23837af9bd52ae2dfb",
              "status": "affected",
              "version": "8252b88294d2a744df6e3c6d85909ade403a5f2c",
              "versionType": "git"
            },
            {
              "lessThan": "dd63817baf334888289877ab1db1d866af2a6479",
              "status": "affected",
              "version": "8252b88294d2a744df6e3c6d85909ade403a5f2c",
              "versionType": "git"
            },
            {
              "lessThan": "fad87dbd48156ab940538f052f1820f4b6ed2819",
              "status": "affected",
              "version": "8252b88294d2a744df6e3c6d85909ade403a5f2c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/include/asm/rtas.h",
            "arch/powerpc/kernel/rtas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: use correct function name for resetting TCE tables\n\nThe PAPR spec spells the function name as\n\n  \"ibm,reset-pe-dma-windows\"\n\nbut in practice firmware uses the singular form:\n\n  \"ibm,reset-pe-dma-window\"\n\nin the device tree. Since we have the wrong spelling in the RTAS\nfunction table, reverse lookups (token -\u003e name) fail and warn:\n\n  unexpected failed lookup for token 86\n  WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\n  CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\n  Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\n  NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\n  LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\n  Call Trace:\n   __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\n   rtas_call+0x1f8/0x3e0\n   enable_ddw.constprop.0+0x4d0/0xc84\n   dma_iommu_dma_supported+0xe8/0x24c\n   dma_set_mask+0x5c/0xd8\n   mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\n   probe_one+0xfc/0x32c [mlx5_core]\n   local_pci_probe+0x68/0x12c\n   pci_call_probe+0x68/0x1ec\n   pci_device_probe+0xbc/0x1a8\n   really_probe+0x104/0x570\n   __driver_probe_device+0xb8/0x224\n   driver_probe_device+0x54/0x130\n   __driver_attach+0x158/0x2b0\n   bus_for_each_dev+0xa8/0x120\n   driver_attach+0x34/0x48\n   bus_add_driver+0x174/0x304\n   driver_register+0x8c/0x1c4\n   __pci_register_driver+0x68/0x7c\n   mlx5_init+0xb8/0x118 [mlx5_core]\n   do_one_initcall+0x60/0x388\n   do_init_module+0x7c/0x2a4\n   init_module_from_file+0xb4/0x108\n   idempotent_init_module+0x184/0x34c\n   sys_finit_module+0x90/0x114\n\nAnd oopses are possible when lockdep is enabled or the RTAS\ntracepoints are active, since those paths dereference the result of\nthe lookup.\n\nUse the correct spelling to match firmware\u0027s behavior, adjusting the\nrelated constants to match."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:48:36.456Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479"
        },
        {
          "url": "https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819"
        }
      ],
      "title": "powerpc/rtas: use correct function name for resetting TCE tables",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26847",
    "datePublished": "2024-04-17T10:14:18.901Z",
    "dateReserved": "2024-02-19T14:20:24.182Z",
    "dateUpdated": "2024-12-19T08:48:36.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26847\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:08.273\",\"lastModified\":\"2024-11-21T09:03:12.127\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/rtas: use correct function name for resetting TCE tables\\n\\nThe PAPR spec spells the function name as\\n\\n  \\\"ibm,reset-pe-dma-windows\\\"\\n\\nbut in practice firmware uses the singular form:\\n\\n  \\\"ibm,reset-pe-dma-window\\\"\\n\\nin the device tree. Since we have the wrong spelling in the RTAS\\nfunction table, reverse lookups (token -\u003e name) fail and warn:\\n\\n  unexpected failed lookup for token 86\\n  WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\\n  CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\\n  Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\\n  NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\\n  LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\\n  Call Trace:\\n   __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\\n   rtas_call+0x1f8/0x3e0\\n   enable_ddw.constprop.0+0x4d0/0xc84\\n   dma_iommu_dma_supported+0xe8/0x24c\\n   dma_set_mask+0x5c/0xd8\\n   mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\\n   probe_one+0xfc/0x32c [mlx5_core]\\n   local_pci_probe+0x68/0x12c\\n   pci_call_probe+0x68/0x1ec\\n   pci_device_probe+0xbc/0x1a8\\n   really_probe+0x104/0x570\\n   __driver_probe_device+0xb8/0x224\\n   driver_probe_device+0x54/0x130\\n   __driver_attach+0x158/0x2b0\\n   bus_for_each_dev+0xa8/0x120\\n   driver_attach+0x34/0x48\\n   bus_add_driver+0x174/0x304\\n   driver_register+0x8c/0x1c4\\n   __pci_register_driver+0x68/0x7c\\n   mlx5_init+0xb8/0x118 [mlx5_core]\\n   do_one_initcall+0x60/0x388\\n   do_init_module+0x7c/0x2a4\\n   init_module_from_file+0xb4/0x108\\n   idempotent_init_module+0x184/0x34c\\n   sys_finit_module+0x90/0x114\\n\\nAnd oopses are possible when lockdep is enabled or the RTAS\\ntracepoints are active, since those paths dereference the result of\\nthe lookup.\\n\\nUse the correct spelling to match firmware\u0027s behavior, adjusting the\\nrelated constants to match.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/rtas: use el nombre de funci\u00f3n correcto para restablecer las tablas TCE La especificaci\u00f3n PAPR escribe el nombre de la funci\u00f3n como \\\"ibm,reset-pe-dma-windows\\\" pero en la pr\u00e1ctica el firmware usa el singular formulario: \\\"ibm,reset-pe-dma-window\\\" en el \u00e1rbol de dispositivos. Dado que tenemos una ortograf\u00eda incorrecta en la tabla de funciones RTAS, las b\u00fasquedas inversas (token -\u0026gt; nombre) fallan y advierten: b\u00fasqueda fallida inesperada del token 86 ADVERTENCIA: CPU: 1 PID: 545 en arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4 cpu: 1 pid: 545 com: systemd-udevd no contaminado 6.8.0-rc4 #30 Nombre de hardware: IBM, 9105-22A Power10 (RAW) 0x800200 0xf000006 de: IBM, FW1060.00 (NL10606060) :phyp pSeries NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4 LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4 Seguimiento de llamadas: __do_enter_rtas_trace+0x2a0/0x2b4 (no confiable) tas_call+0x1f8/0x3e0 enable_ddw.constprop.0+0x4d0/0xc84 dma_iommu_dma_supported+0xe8/ 0x24c dma_set_mask+0x5c/0xd8 mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core] probe_one+0xfc/0x32c [mlx5_core] local_pci_probe+0x68/0x12c pci_call_probe+0x68/0x1ec pci_device_probe+0xbc /0x1a8 realmente_probe+0x104/0x570 __driver_probe_device+0xb8/ 0x224 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x120 driver_attach+0x34/0x48 bus_add_driver+0x174/0x304 driver_register+0x8c/0x1c4 __pci_register_driver+0x68 /0x7c mlx5_init+0xb8/0x118 [mlx5_core] do_one_initcall+0x60/0x388 do_init_module +0x7c/0x2a4 init_module_from_file+0xb4/0x108 idempotent_init_module+0x184/0x34c sys_finit_module+0x90/0x114 Y es posible que haya errores cuando lockdep est\u00e1 habilitado o los puntos de seguimiento RTAS est\u00e1n activos, ya que esas rutas eliminan la referencia al resultado de la b\u00fasqueda. Utilice la ortograf\u00eda correcta para que coincida con el comportamiento del firmware, ajustando las constantes relacionadas para que coincidan.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.4,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.