ghsa-p8g6-7v7w-4whg
Vulnerability from github
Published
2024-04-05 09:30
Modified
2024-06-26 00:31
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Create persistent INTx handler

A vulnerability exists where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET_IRQS ioctl or through unmask irqfd if the device interrupt is pending.

Ideally this could be solved with some additional locking; the igate mutex serializes the ioctl and config space accesses, and the interrupt handler is unregistered relative to the trigger, but the irqfd path runs asynchronous to those. The igate mutex cannot be acquired from the atomic context of the eventfd wake function. Disabling the irqfd relative to the eventfd registration is potentially incompatible with existing userspace.

As a result, the solution implemented here moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq_type configuration, rather than registration of a particular trigger eventfd. Synchronization is added between the ioctl path and eventfd_signal() wrapper such that the eventfd trigger can be dynamically updated relative to in-flight interrupts or irqfd callbacks.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-26812"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T09:15:09Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.",
  "id": "GHSA-p8g6-7v7w-4whg",
  "modified": "2024-06-26T00:31:36Z",
  "published": "2024-04-05T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.