cve/published/2024/CVE-2024-53064.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53064: idpf: fix idpf_vc_core_init error path

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 idpf: fix idpf_vc_core_init error path

 In an event where the platform running the device control plane
 is rebooted, reset is detected on the driver. It releases
 all the resources and waits for the reset to complete. Once the
 reset is done, it tries to build the resources back. At this
 time if the device control plane is not yet started, then
 the driver timeouts on the virtchnl message and retries to
 establish the mailbox again.

 In the retry flow, mailbox is deinitialized but the mailbox
 workqueue is still alive and polling for the mailbox message.
 This results in accessing the released control queue leading to
 null-ptr-deref. Fix it by unrolling the work queue cancellation
 and mailbox deinitialization in the reverse order which they got
 initialized.

 The Linux kernel CVE team has assigned CVE-2024-53064 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 4930fbf419a72d7477426fd883bfc37e20a61a6e and fixed in 6.11.8 with commit 683fcd90ba22507ebeb1921a26dfe77efff8c266
 	Issue introduced in 6.7 with commit 4930fbf419a72d7477426fd883bfc37e20a61a6e and fixed in 6.12 with commit 9b58031ff96b84a38d7b73b23c7ecfb2e0557f43

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53064
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/idpf/idpf_lib.c
 	drivers/net/ethernet/intel/idpf/idpf_virtchnl.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/683fcd90ba22507ebeb1921a26dfe77efff8c266
 	https://git.kernel.org/stable/c/9b58031ff96b84a38d7b73b23c7ecfb2e0557f43
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53064: idpf: fix idpf_vc_core_init error path

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	idpf: fix idpf_vc_core_init error path

	In an event where the platform running the device control plane
	is rebooted, reset is detected on the driver. It releases
	all the resources and waits for the reset to complete. Once the
	reset is done, it tries to build the resources back. At this
	time if the device control plane is not yet started, then
	the driver timeouts on the virtchnl message and retries to
	establish the mailbox again.

	In the retry flow, mailbox is deinitialized but the mailbox
	workqueue is still alive and polling for the mailbox message.
	This results in accessing the released control queue leading to
	null-ptr-deref. Fix it by unrolling the work queue cancellation
	and mailbox deinitialization in the reverse order which they got
	initialized.

	The Linux kernel CVE team has assigned CVE-2024-53064 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 4930fbf419a72d7477426fd883bfc37e20a61a6e and fixed in 6.11.8 with commit 683fcd90ba22507ebeb1921a26dfe77efff8c266
	Issue introduced in 6.7 with commit 4930fbf419a72d7477426fd883bfc37e20a61a6e and fixed in 6.12 with commit 9b58031ff96b84a38d7b73b23c7ecfb2e0557f43

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53064
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/idpf/idpf_lib.c
	drivers/net/ethernet/intel/idpf/idpf_virtchnl.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/683fcd90ba22507ebeb1921a26dfe77efff8c266
	https://git.kernel.org/stable/c/9b58031ff96b84a38d7b73b23c7ecfb2e0557f43