| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-27060: thunderbolt: Fix NULL pointer dereference in tb_port_update_credits() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| thunderbolt: Fix NULL pointer dereference in tb_port_update_credits() |
| |
| Olliver reported that his system crashes when plugging in Thunderbolt 1 |
| device: |
| |
| BUG: kernel NULL pointer dereference, address: 0000000000000020 |
| #PF: supervisor read access in kernel mode |
| #PF: error_code(0x0000) - not-present page |
| PGD 0 P4D 0 |
| Oops: 0000 [#1] PREEMPT SMP NOPTI |
| RIP: 0010:tb_port_do_update_credits+0x1b/0x130 [thunderbolt] |
| Call Trace: |
| <TASK> |
| ? __die+0x23/0x70 |
| ? page_fault_oops+0x171/0x4e0 |
| ? exc_page_fault+0x7f/0x180 |
| ? asm_exc_page_fault+0x26/0x30 |
| ? tb_port_do_update_credits+0x1b/0x130 |
| ? tb_switch_update_link_attributes+0x83/0xd0 |
| tb_switch_add+0x7a2/0xfe0 |
| tb_scan_port+0x236/0x6f0 |
| tb_handle_hotplug+0x6db/0x900 |
| process_one_work+0x171/0x340 |
| worker_thread+0x27b/0x3a0 |
| ? __pfx_worker_thread+0x10/0x10 |
| kthread+0xe5/0x120 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork+0x31/0x50 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork_asm+0x1b/0x30 |
| </TASK> |
| |
| This is due the fact that some Thunderbolt 1 devices only have one lane |
| adapter. Fix this by checking for the lane 1 before we read its credits. |
| |
| The Linux kernel CVE team has assigned CVE-2024-27060 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.7 with commit 81af2952e60603d12415e1a6fd200f8073a2ad8b and fixed in 6.7.12 with commit ce64ba1f6ec3439e4b4d880b4db99673f4507228 |
| Issue introduced in 6.7 with commit 81af2952e60603d12415e1a6fd200f8073a2ad8b and fixed in 6.8 with commit d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-27060 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/thunderbolt/switch.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/440fba897c5ae32d7df1f1d609dbb19e2bba7fbb |
| https://git.kernel.org/stable/c/ce64ba1f6ec3439e4b4d880b4db99673f4507228 |
| https://git.kernel.org/stable/c/d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa |
