CVE-2024-35971
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-35971
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35971.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-35971
- Related
- Published
- 2024-05-20T10:15:11Z
- Modified
- 2024-09-18T03:26:21.909355Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
The ks8851irq() thread may call ks8851rxpkts() in case there are any packets in the MAC FIFO, which calls netifrx(). This netifrx() implementation is guarded by localbhdisable() and localbhenable(). The localbhenable() may call dosoftirq() to run softirqs in case any are pending. One of the softirqs is netrxaction, which ultimately reaches the driver .start_xmit callback. If that happens, the system hangs. The entire call chain is below:
ks8851startxmitpar from netdevstartxmit netdevstartxmit from devhardstartxmit devhardstartxmit from schdirectxmit schdirectxmit from _devqueuexmit _devqueuexmit from _neighupdate _neighupdate from neighupdate neighupdate from arpprocess.constprop.0 arpprocess.constprop.0 from _netifreceiveskbonecore _netifreceiveskbonecore from processbacklog processbacklog from _napipoll.constprop.0 _napipoll.constprop.0 from netrxaction netrxaction from _dosoftirq _dosoftirq from callwithstack callwithstack from dosoftirq dosoftirq from _localbhenableip _localbhenableip from netifrx netifrx from ks8851irq ks8851irq from irqthreadfn irqthreadfn from irqthread irqthread from kthread kthread from retfrom_fork
The hang happens because ks8851irq() first locks a spinlock in ks8851par.c ks8851lockpar() spinlockirqsave(&ksp->lock, ...) and with that spinlock locked, calls netifrx(). Once the execution reaches ks8851startxmitpar(), it calls ks8851lockpar() again which attempts to claim the already locked spinlock again, and the hang happens.
Move the dosoftirq() call outside of the spinlock protected section of ks8851irq() by disabling BHs around the entire spinlock protected section of ks8851irq() handler. Place localbhenable() outside of the spinlock protected section, so that it can trigger dosoftirq() without the ks8851par.c ks8851lockpar() spinlock being held, and safely call ks8851startxmitpar() without attempting to lock the already locked spinlock.
Since ks8851irq() is protected by localbhdisable()/localbhenable() now, replace netifrx() with _netifrx() which is not duplicating the localbhdisable()/localbhenable() calls.
- References
-
- http://www.openwall.com/lists/oss-security/2024/05/30/1
- http://www.openwall.com/lists/oss-security/2024/05/30/2
- https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540
- https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b
- https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f
- https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f
- https://security-tracker.debian.org/tracker/CVE-2024-35971
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.90-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.8.9-1