CVE-2024-35907

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35907
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35907.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35907
Related
Published
2024-05-19T09:15:11Z
Modified
2024-09-18T03:26:19.641722Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mlxbfgige: call requestirq() after NAPI initialized

The mlxbfgige driver encounters a NULL pointer exception in mlxbfgigeopen() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbfgige module e) the mlxbfgige module runs its open() as the the "oobnet0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like:

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Mem abort info:
   ESR = 0x0000000086000004
   EC = 0x21: IABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000
 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
 Internal error: Oops: 0000000086000004 [#1] SMP
 CPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu
 Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024
 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : 0x0
 lr : __napi_poll+0x40/0x230
 sp : ffff800008003e00
 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff
 x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8
 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000
 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000
 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0
 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c
 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398
 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2
 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100
 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238
 Call trace:
  0x0
  net_rx_action+0x178/0x360
  __do_softirq+0x15c/0x428
  __irq_exit_rcu+0xac/0xec
  irq_exit+0x18/0x2c
  handle_domain_irq+0x6c/0xa0
  gic_handle_irq+0xec/0x1b0
  call_on_irq_stack+0x20/0x2c
  do_interrupt_handler+0x5c/0x70
  el1_interrupt+0x30/0x50
  el1h_64_irq_handler+0x18/0x2c
  el1h_64_irq+0x7c/0x80
  __setup_irq+0x4c0/0x950
  request_threaded_irq+0xf4/0x1bc
  mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]
  mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]
  __dev_open+0x100/0x220
  __dev_change_flags+0x16c/0x1f0
  dev_change_flags+0x2c/0x70
  do_setlink+0x220/0xa40
  __rtnl_newlink+0x56c/0x8a0
  rtnl_newlink+0x58/0x84
  rtnetlink_rcv_msg+0x138/0x3c4
  netlink_rcv_skb+0x64/0x130
  rtnetlink_rcv+0x20/0x30
  netlink_unicast+0x2ec/0x360
  netlink_sendmsg+0x278/0x490
  __sock_sendmsg+0x5c/0x6c
  ____sys_sendmsg+0x290/0x2d4
  ___sys_sendmsg+0x84/0xd0
  __sys_sendmsg+0x70/0xd0
  __arm64_sys_sendmsg+0x2c/0x40
  invoke_syscall+0x78/0x100
  el0_svc_common.constprop.0+0x54/0x184
  do_el0_svc+0x30/0xac
  el0_svc+0x48/0x160
  el0t_64_sync_handler+0xa4/0x12c
  el0t_64_sync+0x1a4/0x1a8
 Code: bad PC value
 ---[ end trace 7d1c3f3bf9d81885 ]---
 Kernel panic - not syncing: Oops: Fatal exception in interrupt
 Kernel Offset: 0x2870a7a00000 from 0xffff800008000000
 PHYS_OFFSET: 0x80000000
 CPU features: 0x0,000005c1,a3332a5a
 Memory Limit: none
 ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

The exception happens because there is a pending RX interrupt before the call to requestirq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this requestirq() completes. The ---truncated---

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.85-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}