cve/published/2024/CVE-2024-36950.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36950: firewire: ohci: mask bus reset interrupts between ISR and bottom half

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 firewire: ohci: mask bus reset interrupts between ISR and bottom half

 In the FireWire OHCI interrupt handler, if a bus reset interrupt has
 occurred, mask bus reset interrupts until bus_reset_work has serviced and
 cleared the interrupt.

 Normally, we always leave bus reset interrupts masked. We infer the bus
 reset from the self-ID interrupt that happens shortly thereafter. A
 scenario where we unmask bus reset interrupts was introduced in 2008 in
 a007bb857e0b26f5d8b73c2ff90782d9c0972620: If
 OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we
 will unmask bus reset interrupts so we can log them.

 irq_handler logs the bus reset interrupt. However, we can't clear the bus
 reset event flag in irq_handler, because we won't service the event until
 later. irq_handler exits with the event flag still set. If the
 corresponding interrupt is still unmasked, the first bus reset will
 usually freeze the system due to irq_handler being called again each
 time it exits. This freeze can be reproduced by loading firewire_ohci
 with "modprobe firewire_ohci debug=-1" (to enable all debugging output).
 Apparently there are also some cases where bus_reset_work will get called
 soon enough to clear the event, and operation will continue normally.

 This freeze was first reported a few months after a007bb85 was committed,
 but until now it was never fixed. The debug level could safely be set
 to -1 through sysfs after the module was loaded, but this would be
 ineffectual in logging bus reset interrupts since they were only
 unmasked during initialization.

 irq_handler will now leave the event flag set but mask bus reset
 interrupts, so irq_handler won't be called again and there will be no
 freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will
 unmask the interrupt after servicing the event, so future interrupts
 will be caught as desired.

 As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be
 enabled through sysfs in addition to during initial module loading.
 However, when enabled through sysfs, logging of bus reset interrupts will
 be effective only starting with the second bus reset, after
 bus_reset_work has executed.

 The Linux kernel CVE team has assigned CVE-2024-36950 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.314 with commit b3948c69d60279fce5b2eeda92a07d66296c8130
 	Fixed in 5.4.276 with commit 31279bbca40d2f40cb3bbb6d538ec9620a645dec
 	Fixed in 5.10.217 with commit fa273f312334246c909475c5868e6daab889cc8c
 	Fixed in 5.15.159 with commit 4f9cc355c328fc4f41cbd9c4cd58b235184fa420
 	Fixed in 6.1.91 with commit 6fafe3661712b143d9c69a7322294bd53f559d5d
 	Fixed in 6.6.31 with commit 5982887de60c1b84f9c0ca07c835814d07fd1da0
 	Fixed in 6.8.10 with commit 8643332aac0576581cfdf01798ea3e4e0d624b61
 	Fixed in 6.9 with commit 752e3c53de0fa3b7d817a83050b6699b8e9c6ec9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36950
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/firewire/ohci.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130
 	https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec
 	https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c
 	https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420
 	https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d
 	https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0
 	https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61
 	https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36950: firewire: ohci: mask bus reset interrupts between ISR and bottom half

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	firewire: ohci: mask bus reset interrupts between ISR and bottom half

	In the FireWire OHCI interrupt handler, if a bus reset interrupt has
	occurred, mask bus reset interrupts until bus_reset_work has serviced and
	cleared the interrupt.

	Normally, we always leave bus reset interrupts masked. We infer the bus
	reset from the self-ID interrupt that happens shortly thereafter. A
	scenario where we unmask bus reset interrupts was introduced in 2008 in
	a007bb857e0b26f5d8b73c2ff90782d9c0972620: If
	OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we
	will unmask bus reset interrupts so we can log them.

	irq_handler logs the bus reset interrupt. However, we can't clear the bus
	reset event flag in irq_handler, because we won't service the event until
	later. irq_handler exits with the event flag still set. If the
	corresponding interrupt is still unmasked, the first bus reset will
	usually freeze the system due to irq_handler being called again each
	time it exits. This freeze can be reproduced by loading firewire_ohci
	with "modprobe firewire_ohci debug=-1" (to enable all debugging output).
	Apparently there are also some cases where bus_reset_work will get called
	soon enough to clear the event, and operation will continue normally.

	This freeze was first reported a few months after a007bb85 was committed,
	but until now it was never fixed. The debug level could safely be set
	to -1 through sysfs after the module was loaded, but this would be
	ineffectual in logging bus reset interrupts since they were only
	unmasked during initialization.

	irq_handler will now leave the event flag set but mask bus reset
	interrupts, so irq_handler won't be called again and there will be no
	freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will
	unmask the interrupt after servicing the event, so future interrupts
	will be caught as desired.

	As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be
	enabled through sysfs in addition to during initial module loading.
	However, when enabled through sysfs, logging of bus reset interrupts will
	be effective only starting with the second bus reset, after
	bus_reset_work has executed.

	The Linux kernel CVE team has assigned CVE-2024-36950 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.314 with commit b3948c69d60279fce5b2eeda92a07d66296c8130
	Fixed in 5.4.276 with commit 31279bbca40d2f40cb3bbb6d538ec9620a645dec
	Fixed in 5.10.217 with commit fa273f312334246c909475c5868e6daab889cc8c
	Fixed in 5.15.159 with commit 4f9cc355c328fc4f41cbd9c4cd58b235184fa420
	Fixed in 6.1.91 with commit 6fafe3661712b143d9c69a7322294bd53f559d5d
	Fixed in 6.6.31 with commit 5982887de60c1b84f9c0ca07c835814d07fd1da0
	Fixed in 6.8.10 with commit 8643332aac0576581cfdf01798ea3e4e0d624b61
	Fixed in 6.9 with commit 752e3c53de0fa3b7d817a83050b6699b8e9c6ec9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36950
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/firewire/ohci.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b3948c69d60279fce5b2eeda92a07d66296c8130
	https://git.kernel.org/stable/c/31279bbca40d2f40cb3bbb6d538ec9620a645dec
	https://git.kernel.org/stable/c/fa273f312334246c909475c5868e6daab889cc8c
	https://git.kernel.org/stable/c/4f9cc355c328fc4f41cbd9c4cd58b235184fa420
	https://git.kernel.org/stable/c/6fafe3661712b143d9c69a7322294bd53f559d5d
	https://git.kernel.org/stable/c/5982887de60c1b84f9c0ca07c835814d07fd1da0
	https://git.kernel.org/stable/c/8643332aac0576581cfdf01798ea3e4e0d624b61
	https://git.kernel.org/stable/c/752e3c53de0fa3b7d817a83050b6699b8e9c6ec9