gsd-2024-26847
Vulnerability from gsd
Modified
2024-02-20 06:02
Details
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: use correct function name for resetting TCE tables
The PAPR spec spells the function name as
"ibm,reset-pe-dma-windows"
but in practice firmware uses the singular form:
"ibm,reset-pe-dma-window"
in the device tree. Since we have the wrong spelling in the RTAS
function table, reverse lookups (token -> name) fail and warn:
unexpected failed lookup for token 86
WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4
CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30
Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries
NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4
LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4
Call Trace:
__do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)
rtas_call+0x1f8/0x3e0
enable_ddw.constprop.0+0x4d0/0xc84
dma_iommu_dma_supported+0xe8/0x24c
dma_set_mask+0x5c/0xd8
mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]
probe_one+0xfc/0x32c [mlx5_core]
local_pci_probe+0x68/0x12c
pci_call_probe+0x68/0x1ec
pci_device_probe+0xbc/0x1a8
really_probe+0x104/0x570
__driver_probe_device+0xb8/0x224
driver_probe_device+0x54/0x130
__driver_attach+0x158/0x2b0
bus_for_each_dev+0xa8/0x120
driver_attach+0x34/0x48
bus_add_driver+0x174/0x304
driver_register+0x8c/0x1c4
__pci_register_driver+0x68/0x7c
mlx5_init+0xb8/0x118 [mlx5_core]
do_one_initcall+0x60/0x388
do_init_module+0x7c/0x2a4
init_module_from_file+0xb4/0x108
idempotent_init_module+0x184/0x34c
sys_finit_module+0x90/0x114
And oopses are possible when lockdep is enabled or the RTAS
tracepoints are active, since those paths dereference the result of
the lookup.
Use the correct spelling to match firmware's behavior, adjusting the
related constants to match.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-26847"
],
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: use correct function name for resetting TCE tables\n\nThe PAPR spec spells the function name as\n\n \"ibm,reset-pe-dma-windows\"\n\nbut in practice firmware uses the singular form:\n\n \"ibm,reset-pe-dma-window\"\n\nin the device tree. Since we have the wrong spelling in the RTAS\nfunction table, reverse lookups (token -\u003e name) fail and warn:\n\n unexpected failed lookup for token 86\n WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\n CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\n Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\n NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\n LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\n Call Trace:\n __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\n rtas_call+0x1f8/0x3e0\n enable_ddw.constprop.0+0x4d0/0xc84\n dma_iommu_dma_supported+0xe8/0x24c\n dma_set_mask+0x5c/0xd8\n mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\n probe_one+0xfc/0x32c [mlx5_core]\n local_pci_probe+0x68/0x12c\n pci_call_probe+0x68/0x1ec\n pci_device_probe+0xbc/0x1a8\n really_probe+0x104/0x570\n __driver_probe_device+0xb8/0x224\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x120\n driver_attach+0x34/0x48\n bus_add_driver+0x174/0x304\n driver_register+0x8c/0x1c4\n __pci_register_driver+0x68/0x7c\n mlx5_init+0xb8/0x118 [mlx5_core]\n do_one_initcall+0x60/0x388\n do_init_module+0x7c/0x2a4\n init_module_from_file+0xb4/0x108\n idempotent_init_module+0x184/0x34c\n sys_finit_module+0x90/0x114\n\nAnd oopses are possible when lockdep is enabled or the RTAS\ntracepoints are active, since those paths dereference the result of\nthe lookup.\n\nUse the correct spelling to match firmware\u0027s behavior, adjusting the\nrelated constants to match.",
"id": "GSD-2024-26847",
"modified": "2024-02-20T06:02:29.294272Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@kernel.org",
"ID": "CVE-2024-26847",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8252b88294d2",
"version_value": "6b6282d56b14"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.21",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
}
]
}
}
]
},
"vendor_name": "Linux"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: use correct function name for resetting TCE tables\n\nThe PAPR spec spells the function name as\n\n \"ibm,reset-pe-dma-windows\"\n\nbut in practice firmware uses the singular form:\n\n \"ibm,reset-pe-dma-window\"\n\nin the device tree. Since we have the wrong spelling in the RTAS\nfunction table, reverse lookups (token -\u003e name) fail and warn:\n\n unexpected failed lookup for token 86\n WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\n CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\n Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\n NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\n LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\n Call Trace:\n __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\n rtas_call+0x1f8/0x3e0\n enable_ddw.constprop.0+0x4d0/0xc84\n dma_iommu_dma_supported+0xe8/0x24c\n dma_set_mask+0x5c/0xd8\n mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\n probe_one+0xfc/0x32c [mlx5_core]\n local_pci_probe+0x68/0x12c\n pci_call_probe+0x68/0x1ec\n pci_device_probe+0xbc/0x1a8\n really_probe+0x104/0x570\n __driver_probe_device+0xb8/0x224\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x120\n driver_attach+0x34/0x48\n bus_add_driver+0x174/0x304\n driver_register+0x8c/0x1c4\n __pci_register_driver+0x68/0x7c\n mlx5_init+0xb8/0x118 [mlx5_core]\n do_one_initcall+0x60/0x388\n do_init_module+0x7c/0x2a4\n init_module_from_file+0xb4/0x108\n idempotent_init_module+0x184/0x34c\n sys_finit_module+0x90/0x114\n\nAnd oopses are possible when lockdep is enabled or the RTAS\ntracepoints are active, since those paths dereference the result of\nthe lookup.\n\nUse the correct spelling to match firmware\u0027s behavior, adjusting the\nrelated constants to match."
}
]
},
"generator": {
"engine": "bippy-d175d3acf727"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb"
},
{
"name": "https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479"
},
{
"name": "https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: use correct function name for resetting TCE tables\n\nThe PAPR spec spells the function name as\n\n \"ibm,reset-pe-dma-windows\"\n\nbut in practice firmware uses the singular form:\n\n \"ibm,reset-pe-dma-window\"\n\nin the device tree. Since we have the wrong spelling in the RTAS\nfunction table, reverse lookups (token -\u003e name) fail and warn:\n\n unexpected failed lookup for token 86\n WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\n CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\n Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\n NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\n LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\n Call Trace:\n __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\n rtas_call+0x1f8/0x3e0\n enable_ddw.constprop.0+0x4d0/0xc84\n dma_iommu_dma_supported+0xe8/0x24c\n dma_set_mask+0x5c/0xd8\n mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\n probe_one+0xfc/0x32c [mlx5_core]\n local_pci_probe+0x68/0x12c\n pci_call_probe+0x68/0x1ec\n pci_device_probe+0xbc/0x1a8\n really_probe+0x104/0x570\n __driver_probe_device+0xb8/0x224\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x120\n driver_attach+0x34/0x48\n bus_add_driver+0x174/0x304\n driver_register+0x8c/0x1c4\n __pci_register_driver+0x68/0x7c\n mlx5_init+0xb8/0x118 [mlx5_core]\n do_one_initcall+0x60/0x388\n do_init_module+0x7c/0x2a4\n init_module_from_file+0xb4/0x108\n idempotent_init_module+0x184/0x34c\n sys_finit_module+0x90/0x114\n\nAnd oopses are possible when lockdep is enabled or the RTAS\ntracepoints are active, since those paths dereference the result of\nthe lookup.\n\nUse the correct spelling to match firmware\u0027s behavior, adjusting the\nrelated constants to match."
}
],
"id": "CVE-2024-26847",
"lastModified": "2024-04-17T12:48:07.510",
"metrics": {},
"published": "2024-04-17T11:15:08.273",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6b6282d56b14879124416a23837af9bd52ae2dfb"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/dd63817baf334888289877ab1db1d866af2a6479"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/fad87dbd48156ab940538f052f1820f4b6ed2819"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.