CVE-2024-26738

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26738
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26738.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26738
Related
Published
2024-04-03T17:15:51Z
Modified
2024-09-18T03:26:02.601033Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

When a PCI device is dynamically added, the kernel oopses with a NULL pointer dereference:

BUG: Kernel NULL pointer dereference on read at 0x00000030 Faulting instruction address: 0xc0000000006bbe5c Oops: Kernel access of bad area, sig: 11 [#1] LE PAGESIZE=64K MMU=Radix SMP NRCPUS=2048 NUMA pSeries Modules linked in: rpadlpario rpaphp rpcsecgsskrb5 authrpcgss nfsv4 dnsresolver nfs lockd grace fscache netfs xskdiag bonding nftcompat nftables nfnetlink rfkill binfmtmisc dmmultipath rpcrdma sunrpc rdmaucm ibsrpt ibisert iscsitargetmod targetcoremod ibumad ibiser libiscsi scsitransportiscsi ibipoib rdmacm iwcm ibcm mlx5ib ibuverbs ibcore pseriesrng drm drmpanelorientationquirks xfs libcrc32c mlx5core mlxfw sdmod t10pi sg tls ibmvscsi ibmveth scsitransportsrp vmxcrypto pserieswdt psample dmmirror dmregionhash dmlog dmmod fuse CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060008) hv:phyp pSeries NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8 REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006 CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0 ... NIP sysfsaddlinktogroup+0x34/0x94 LR iommudevicelink+0x5c/0x118 Call Trace: iommuinitdevice+0x26c/0x318 (unreliable) iommudevicelink+0x5c/0x118 iommuinitdevice+0xa8/0x318 iommuprobedevice+0xc0/0x134 iommubusnotifier+0x44/0x104 notifiercallchain+0xb8/0x19c blockingnotifiercallchain+0x64/0x98 busnotify+0x50/0x7c deviceadd+0x640/0x918 pcideviceadd+0x23c/0x298 ofcreatepcidev+0x400/0x884 ofscanpcidev+0x124/0x1b0 _ofscanbus+0x78/0x18c pcibiosscanphb+0x2a4/0x3b0 initphbdynamic+0xb8/0x110 dlparaddslot+0x170/0x3b8 [rpadlpario] addslotstore.part.0+0xb4/0x130 [rpadlpario] kobjattrstore+0x2c/0x48 sysfskfwrite+0x64/0x78 kernfsfopwriteiter+0x1b0/0x290 vfswrite+0x350/0x4a0 ksyswrite+0x84/0x140 systemcallexception+0x124/0x330 systemcallvectored_common+0x15c/0x2ec

Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains") broke DLPAR add of PCI devices.

The above added iommudevice structure to pcicontroller. During system boot, PCI devices are discovered and this newly added iommudevice structure is initialized by a call to iommudevice_register().

During DLPAR add of a PCI device, a new pcicontroller structure is allocated but there are no calls made to iommudevice_register() interface.

Fix is to register the iommu device during DLPAR add as well.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.7-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}