cve-2024-36928
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2024-08-02 03:43
Severity
Summary
s390/qeth: Fix kernel panic after setting hsuid
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T18:29:03.569739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:51.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:50.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8792b557eb50",
"status": "affected",
"version": "64e3affee288",
"versionType": "git"
},
{
"lessThan": "10cb803aff3b",
"status": "affected",
"version": "86818409f989",
"versionType": "git"
},
{
"lessThan": "e28dd1e1bf3e",
"status": "affected",
"version": "1cfef80d4c2b",
"versionType": "git"
},
{
"lessThan": "eae0aec24571",
"status": "affected",
"version": "1cfef80d4c2b",
"versionType": "git"
},
{
"lessThan": "8a2e4d37afb8",
"status": "affected",
"version": "1cfef80d4c2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n \u003e0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([\u003c00000000ec639700\u003e] 0xec639700)\n[ 2057.572803] [\u003c00000000913183e2\u003e] net_rx_action+0x2ba/0x398\n[ 2057.572809] [\u003c0000000091515f76\u003e] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [\u003c0000000090ce160c\u003e] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([\u003c0000000090d2cbd6\u003e] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [\u003c0000000090d2cc60\u003e] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [\u003c0000000091314706\u003e] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [\u003c000003ff803dd6d6\u003e] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [\u003c000003ff803dd88a\u003e] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [\u003c000003ff803de72a\u003e] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [\u003c00000000912e7e90\u003e] __sys_connect+0xa0/0xd8\n[ 2057.572839] [\u003c00000000912e9580\u003e] sys_socketcall+0x228/0x348\n[ 2057.572841] [\u003c0000000091514e1a\u003e] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [\u003c0000000091317e44\u003e] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card-\u003eqdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don\u0027t call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard-\u003eqdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 \u003e /sys/bus/ccw\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T15:29:20.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524"
},
{
"url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6"
},
{
"url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3"
},
{
"url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282"
},
{
"url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494"
}
],
"title": "s390/qeth: Fix kernel panic after setting hsuid",
"x_generator": {
"engine": "bippy-a5840b7849dd"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36928",
"datePublished": "2024-05-30T15:29:20.854Z",
"dateReserved": "2024-05-30T15:25:07.069Z",
"dateUpdated": "2024-08-02T03:43:50.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-36928\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-30T16:15:16.033\",\"lastModified\":\"2024-05-30T18:18:58.870\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/qeth: Fix kernel panic after setting hsuid\\n\\nSymptom:\\nWhen the hsuid attribute is set for the first time on an IQD Layer3\\ndevice while the corresponding network interface is already UP,\\nthe kernel will try to execute a napi function pointer that is NULL.\\n\\nExample:\\n---------------------------------------------------------------------------\\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\\n qdio ccwgroup pkey zcrypt\\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\\n \u003e0000000000000002: 0000 illegal\\n 0000000000000004: 0000 illegal\\n 0000000000000006: 0000 illegal\\n 0000000000000008: 0000 illegal\\n 000000000000000a: 0000 illegal\\n 000000000000000c: 0000 illegal\\n 000000000000000e: 0000 illegal\\n[ 2057.572800] Call Trace:\\n[ 2057.572801] ([\u003c00000000ec639700\u003e] 0xec639700)\\n[ 2057.572803] [\u003c00000000913183e2\u003e] net_rx_action+0x2ba/0x398\\n[ 2057.572809] [\u003c0000000091515f76\u003e] __do_softirq+0x11e/0x3a0\\n[ 2057.572813] [\u003c0000000090ce160c\u003e] do_softirq_own_stack+0x3c/0x58\\n[ 2057.572817] ([\u003c0000000090d2cbd6\u003e] do_softirq.part.1+0x56/0x60)\\n[ 2057.572822] [\u003c0000000090d2cc60\u003e] __local_bh_enable_ip+0x80/0x98\\n[ 2057.572825] [\u003c0000000091314706\u003e] __dev_queue_xmit+0x2be/0xd70\\n[ 2057.572827] [\u003c000003ff803dd6d6\u003e] afiucv_hs_send+0x24e/0x300 [af_iucv]\\n[ 2057.572830] [\u003c000003ff803dd88a\u003e] iucv_send_ctrl+0x102/0x138 [af_iucv]\\n[ 2057.572833] [\u003c000003ff803de72a\u003e] iucv_sock_connect+0x37a/0x468 [af_iucv]\\n[ 2057.572835] [\u003c00000000912e7e90\u003e] __sys_connect+0xa0/0xd8\\n[ 2057.572839] [\u003c00000000912e9580\u003e] sys_socketcall+0x228/0x348\\n[ 2057.572841] [\u003c0000000091514e1a\u003e] system_call+0x2a6/0x2c8\\n[ 2057.572843] Last Breaking-Event-Address:\\n[ 2057.572844] [\u003c0000000091317e44\u003e] __napi_poll+0x4c/0x1d8\\n[ 2057.572846]\\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\\n-------------------------------------------------------------------------------------------\\n\\nAnalysis:\\nThere is one napi structure per out_q: card-\u003eqdio.out_qs[i].napi\\nThe napi.poll functions are set during qeth_open().\\n\\nSince\\ncommit 1cfef80d4c2b (\\\"s390/qeth: Don\u0027t call dev_close/dev_open (DOWN/UP)\\\")\\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\\ndev_open(). So if qeth_free_qdio_queues() cleared\\ncard-\u003eqdio.out_qs[i].napi.poll while the network interface was UP and the\\ncard was offline, they are not set again.\\n\\nReproduction:\\nchzdev -e $devno layer2=0\\nip link set dev $network_interface up\\necho 0 \u003e /sys/bus/ccw\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390/qeth: soluciona el p\u00e1nico del kernel despu\u00e9s de configurar hsuid S\u00edntoma: cuando el atributo hsuid se establece por primera vez en un dispositivo IQD Layer3 mientras la interfaz de red correspondiente ya est\u00e1 activa, el kernel Intentar\u00e1 ejecutar un puntero de funci\u00f3n napi que sea NULL. Ejemplo: ------------------------------------------------ --------------------- [ 2057.572696] operaci\u00f3n ilegal: 0001 ilc:1 [#1] SMP [ 2057.572702] M\u00f3dulos vinculados en: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat pista nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev _iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 puente stp llc dasd_eckd_mod qeth dasd_mod qdio ccwgroup pkey zcrypt [2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: cargado No contaminado 4.18.0-541.el8.s390x #1 [2057.572742] Nombre de hardware: IBM 3931 A01 704 (LPAR) [2057.572744] PSW : 0704f00180000000 0000000000000002 (0x2) [ 2057.572748] R:0 T:1 IO:1 EX:1 Clave:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000 [2057.572754] 00000000a3b008d8 cb923a29c779abc5 000000000000000 00000000814cfd80 [ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8 [ 2057.5727 58] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68 [2057.572762] C\u00f3digo Krnl:#0000000000000000: 0000 ilegal \u0026gt;00000000000 00002: 0000 ilegal 0000000000000004: 0000 ilegal 0000000000000006: 0000 ilegal 0000000000000008: 0000 ilegal 000000000000000a: 0000 ilegal 000000000000000c: 0000 ilegal 000000000000000e: 0000 ilegal [ 2057.572800] Rastreo de llamadas: [ 57.572801] ([\u0026lt;00000000ec639700\u0026gt;] 0xec639700) [ 2057.572803] [\u0026lt;00000000913183e2\u0026gt;] net_rx_action+0x2ba/0x398 [ 2057.572809 ] [\u0026lt;0000000091515f76\u0026gt;] __do_softirq+0x11e/0x3a0 [ 2057.572813] [\u0026lt;0000000090ce160c\u0026gt;] do_softirq_own_stack+0x3c/0x58 [ 2057.572817 ([\u0026lt;0000000090d] 2cbd6\u0026gt;] do_softirq.part.1+0x56/0x60) [ 2057.572822] [\u0026lt;0000000090d2cc60\u0026gt; ] __local_bh_enable_ip+0x80/0x98 [ 2057.572825] [\u0026lt;0000000091314706\u0026gt;] __dev_queue_xmit+0x2be/0xd70 [ 2057.572827] [\u0026lt;000003ff803dd6d6\u0026gt;] 24e/0x300 [af_iucv] [ 2057.572830] [\u0026lt;000003ff803dd88a\u0026gt;] iucv_send_ctrl+0x102/0x138 [af_iucv ] [ 2057.572833] [\u0026lt;000003ff803de72a\u0026gt;] iucv_sock_connect+0x37a/0x468 [af_iucv] [ 2057.572835] [\u0026lt;00000000912e7e90\u0026gt;] __sys_connect+0xa0/0xd8 [ 2057.57283 9] [\u0026lt;00000000912e9580\u0026gt;] sys_socketcall+0x228/0x348 [ 2057.572841] [\u0026lt;0000000091514e1a\u0026gt; ] system_call+0x2a6/0x2c8 [ 2057.572843] \u00daltima direcci\u00f3n del evento de \u00faltima hora: [ 2057.572844] [\u0026lt;0000000091317e44\u0026gt;] __napi_poll+0x4c/0x1d8 [ 2057.572846] [ 2057.572847] p\u00e1nico - no se sincroniza: excepci\u00f3n fatal en la interrupci\u00f3n ----- -------------------------------------------------- ------------------------------------ An\u00e1lisis: Hay una estructura napi por out_q: tarjeta-\u0026gt;qdio .out_qs[i].napi Las funciones napi.poll se configuran durante qeth_open(). Desde la confirmaci\u00f3n 1cfef80d4c2b (\\\"s390/qeth: No llamar a dev_close/dev_open (DOWN/UP)\\\") qeth_set_offline()/qeth_set_online() ya no llama a dev_close()/dev_open(). Entonces, si qeth_free_qdio_queues() borr\u00f3 card-\u0026gt;qdio.out_qs[i].napi.poll mientras la interfaz de red estaba activa y la tarjeta estaba fuera de l\u00ednea, no se vuelven a configurar. Reproducci\u00f3n: chzdev -e $devno Layer2=0 ip link set dev $network_interface up echo 0 \u0026gt; /sys/bus/ccw ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...