cve/published/2024/CVE-2024-26802.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26802: stmmac: Clear variable when destroying workqueue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 stmmac: Clear variable when destroying workqueue

 Currently when suspending driver and stopping workqueue it is checked whether
 workqueue is not NULL and if so, it is destroyed.
 Function destroy_workqueue() does drain queue and does clear variable, but
 it does not set workqueue variable to NULL. This can cause kernel/module
 panic if code attempts to clear workqueue that was not initialized.

 This scenario is possible when resuming suspended driver in stmmac_resume(),
 because there is no handling for failed stmmac_hw_setup(),
 which can fail and return if DMA engine has failed to initialize,
 and workqueue is initialized after DMA engine.
 Should DMA engine fail to initialize, resume will proceed normally,
 but interface won't work and TX queue will eventually timeout,
 causing 'Reset adapter' error.
 This then does destroy workqueue during reset process.
 And since workqueue is initialized after DMA engine and can be skipped,
 it will cause kernel/module panic.

 To secure against this possible crash, set workqueue variable to NULL when
 destroying workqueue.

 Log/backtrace from crash goes as follows:
 [88.031977]------------[ cut here ]------------
 [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
 [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398
            <Skipping backtrace for watchdog timeout>
 [88.032251]---[ end trace e70de432e4d5c2c0 ]---
 [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.
 [88.036359]------------[ cut here ]------------
 [88.036519]Call trace:
 [88.036523] flush_workqueue+0x3e4/0x430
 [88.036528] drain_workqueue+0xc4/0x160
 [88.036533] destroy_workqueue+0x40/0x270
 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70
 [88.036541] stmmac_release+0x278/0x280
 [88.036546] __dev_close_many+0xcc/0x158
 [88.036551] dev_close_many+0xbc/0x190
 [88.036555] dev_close.part.0+0x70/0xc0
 [88.036560] dev_close+0x24/0x30
 [88.036564] stmmac_service_task+0x110/0x140
 [88.036569] process_one_work+0x1d8/0x4a0
 [88.036573] worker_thread+0x54/0x408
 [88.036578] kthread+0x164/0x170
 [88.036583] ret_from_fork+0x10/0x20
 [88.036588]---[ end trace e70de432e4d5c2c1 ]---
 [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004

 The Linux kernel CVE team has assigned CVE-2024-26802 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 5.15.151 with commit 8e99556301172465c8fe33c7f78c39a3d4ce8462
 	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.1.81 with commit 17ccd9798fe0beda3db212cfa3ebe373f605cbd6
 	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.6.21 with commit 699b103e48ce32d03fc86c35b37ee8ae4288c7e3
 	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.7.9 with commit f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
 	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.8 with commit 8af411bbba1f457c33734795f024d0ef26d0963f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26802
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/stmicro/stmmac/stmmac_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462
 	https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6
 	https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3
 	https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
 	https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26802: stmmac: Clear variable when destroying workqueue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	stmmac: Clear variable when destroying workqueue

	Currently when suspending driver and stopping workqueue it is checked whether
	workqueue is not NULL and if so, it is destroyed.
	Function destroy_workqueue() does drain queue and does clear variable, but
	it does not set workqueue variable to NULL. This can cause kernel/module
	panic if code attempts to clear workqueue that was not initialized.

	This scenario is possible when resuming suspended driver in stmmac_resume(),
	because there is no handling for failed stmmac_hw_setup(),
	which can fail and return if DMA engine has failed to initialize,
	and workqueue is initialized after DMA engine.
	Should DMA engine fail to initialize, resume will proceed normally,
	but interface won't work and TX queue will eventually timeout,
	causing 'Reset adapter' error.
	This then does destroy workqueue during reset process.
	And since workqueue is initialized after DMA engine and can be skipped,
	it will cause kernel/module panic.

	To secure against this possible crash, set workqueue variable to NULL when
	destroying workqueue.

	Log/backtrace from crash goes as follows:
	[88.031977]------------[ cut here ]------------
	[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out
	[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398
	<Skipping backtrace for watchdog timeout>
	[88.032251]---[ end trace e70de432e4d5c2c0 ]---
	[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.
	[88.036359]------------[ cut here ]------------
	[88.036519]Call trace:
	[88.036523] flush_workqueue+0x3e4/0x430
	[88.036528] drain_workqueue+0xc4/0x160
	[88.036533] destroy_workqueue+0x40/0x270
	[88.036537] stmmac_fpe_stop_wq+0x4c/0x70
	[88.036541] stmmac_release+0x278/0x280
	[88.036546] __dev_close_many+0xcc/0x158
	[88.036551] dev_close_many+0xbc/0x190
	[88.036555] dev_close.part.0+0x70/0xc0
	[88.036560] dev_close+0x24/0x30
	[88.036564] stmmac_service_task+0x110/0x140
	[88.036569] process_one_work+0x1d8/0x4a0
	[88.036573] worker_thread+0x54/0x408
	[88.036578] kthread+0x164/0x170
	[88.036583] ret_from_fork+0x10/0x20
	[88.036588]---[ end trace e70de432e4d5c2c1 ]---
	[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004

	The Linux kernel CVE team has assigned CVE-2024-26802 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 5.15.151 with commit 8e99556301172465c8fe33c7f78c39a3d4ce8462
	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.1.81 with commit 17ccd9798fe0beda3db212cfa3ebe373f605cbd6
	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.6.21 with commit 699b103e48ce32d03fc86c35b37ee8ae4288c7e3
	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.7.9 with commit f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
	Issue introduced in 5.13 with commit 5a5586112b929546e16029261a987c9197bfdfa2 and fixed in 6.8 with commit 8af411bbba1f457c33734795f024d0ef26d0963f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26802
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/stmicro/stmmac/stmmac_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462
	https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6
	https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3
	https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
	https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f