CVE-2024-56788

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56788
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56788.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56788
Related
Published
2025-01-11T13:15:29Z
Modified
2025-01-16T05:50:04.448440Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: oa_tc6: fix tx skb race condition between reference pointers

There are two skb pointers to manage tx skb's enqueued from n/w stack. waitingtxskb pointer points to the tx skb which needs to be processed and ongoingtxskb pointer points to the tx skb which is being processed.

SPI thread prepares the tx data chunks from the tx skb pointed by the ongoingtxskb pointer. When the tx skb pointed by the ongoingtxskb is processed, the tx skb pointed by the waitingtxskb is assigned to ongoingtxskb and the waitingtxskb pointer is assigned with NULL. Whenever there is a new tx skb from n/w stack, it will be assigned to waitingtxskb pointer if it is NULL. Enqueuing and processing of a tx skb handled in two different threads.

Consider a scenario where the SPI thread processed an ongoingtxskb and it moves next tx skb from waitingtxskb pointer to ongoingtxskb pointer without doing any NULL check. At this time, if the waitingtxskb pointer is NULL then ongoingtxskb pointer is also assigned with NULL. After that, if a new tx skb is assigned to waitingtxskb pointer by the n/w stack and there is a chance to overwrite the tx skb pointer with NULL in the SPI thread. Finally one of the tx skb will be left as unhandled, resulting packet missing and memory leak.

  • Consider the below scenario where the TXC reported from the previous transfer is 10 and ongoingtxskb holds an tx ethernet frame which can be transported in 20 TXCs and waitingtxskb is still NULL. txcredits = 10; /* 21 are filled in the previous transfer */ ongoingtxskb = 20; waitingtx_skb = NULL; /* Still NULL */
  • So, (tc6->ongoingtxskb || tc6->waitingtxskb) becomes true.
  • After oatc6preparespitxbuffortxskbs() ongoingtxskb = 10; waitingtxskb = NULL; /* Still NULL */
  • Perform SPI transfer.
  • Process SPI rx buffer to get the TXC from footers.
  • Now let's assume previously filled 21 TXCs are freed so we are good to transport the next remaining 10 tx chunks from ongoingtxskb. txcredits = 21; ongoingtxskb = 10; waitingtx_skb = NULL;
  • So, (tc6->ongoingtxskb || tc6->waitingtxskb) becomes true again.
  • In the oatc6preparespitxbuffortxskbs() ongoingtxskb = NULL; waitingtxskb = NULL;

  • Now the below bad case might happen,

Thread1 (oatc6startxmit) Thread2 (oatc6spithread_handler)


  • if waitingtxskb is NULL
    • if ongoingtxskb is NULL
    • ongoingtxskb = waitingtxskb
  • waitingtxskb = skb
    • waitingtxskb = NULL ...
    • ongoingtxskb = NULL
  • if waitingtxskb is NULL
  • waitingtxskb = skb

To overcome the above issue, protect the moving of tx skb reference from waitingtxskb pointer to ongoingtxskb pointer and assigning new tx skb to waitingtxskb pointer, so that the other thread can't access the waitingtxskb pointer until the current thread completes moving the tx skb reference safely.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1
6.10.11-1
6.10.12-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1
6.11-1~exp1
6.11.2-1
6.11.4-1
6.11.5-1~bpo12+1
6.11.5-1
6.11.6-1
6.11.7-1
6.11.9-1
6.11.10-1~bpo12+1
6.11.10-1
6.12~rc6-1~exp1
6.12.3-1
6.12.5-1
6.12.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}