CVE-2024-41054

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by the ISR. And ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace: ufshcd_try_to_abort_task: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise] Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Call trace: dump_backtrace+0xf8/0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633	Patch
https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a	Patch
https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

22 Aug 2024, 14:11

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: ufs: core: solucione el problema de ejecución de ufshcd_clear_cmd Cuando ufshcd_clear_cmd corre con el ISR de finalización, el ISR establecerá la etiqueta completada del puntero mq_hctx de la solicitud en NULL. Y la llamada de ufshcd_clear_cmd a ufshcd_mcq_req_to_hwq obtendrá un puntero NULL KE. Devuelve el éxito cuando ISR completa la solicitud porque sq no necesita limpieza. El flujo de ejecución es: Hilo A ufshcd_err_handler paso 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) paso 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num paso 5 Hilo ufs_mtk_mcq_int r(cq completar ISR) paso 2 scsi_done ... __blk_mq_free_request rq-> mq_hctx = NULO; paso 4 A continuación se muestra el rastreo de KE: ufshcd_try_to_abort_task: cmd pendiente en el dispositivo. etiqueta = 6 No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000194 pc: [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr: [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc _mod_ise] Cola de trabajo: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Seguimiento de llamadas: dump_backtrace+0xf8 /0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+ 0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler +0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc trabajador_hilo+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
References	~~() https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633 -~~	() https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633 - Patch
References	~~() https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a -~~	() https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a - Patch
References	~~() https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72 -~~	() https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72 - Patch
CWE		CWE-476
First Time		Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

29 Jul 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-29 15:15

Updated : 2024-08-22 14:11

NVD link : CVE-2024-41054

Mitre link : CVE-2024-41054

CVE.ORG link : CVE-2024-41054

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10