CVE-2024-46678

In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list, hence xdo_dev_state_add and xdo_dev_state_delete are called inside this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep, "scheduling while atomic" will be triggered when changing bond's active slave. [ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200 [ 101.055726] Modules linked in: [ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1 [ 101.058760] Hardware name: [ 101.059434] Call Trace: [ 101.059436] <TASK> [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? usleep_range_state+0x90/0x90 [ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core] [ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core] [ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core] [ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core] [ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] bond_change_active_slave+0x392/0x900 [bonding] [ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding] [ 101.070454] __bond_opt_set+0xa6/0x430 [bonding] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called from bond_change_active_slave, which requires holding the RTNL lock. And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user context. So ipsec_lock doesn't have to be spin lock, change it to mutex, and thus the above issue can be resolved.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*

History

23 Sep 2024, 14:44

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CWE CWE-667
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/2aeeef906d5a526dc60cf4af92eda69836c39b1f - () https://git.kernel.org/stable/c/2aeeef906d5a526dc60cf4af92eda69836c39b1f - Patch
References () https://git.kernel.org/stable/c/56354b0a2c24a7828eeed7de4b4dc9652d9affa3 - () https://git.kernel.org/stable/c/56354b0a2c24a7828eeed7de4b4dc9652d9affa3 - Patch
References () https://git.kernel.org/stable/c/6b598069164ac1bb60996d6ff94e7f9169dbd2d3 - () https://git.kernel.org/stable/c/6b598069164ac1bb60996d6ff94e7f9169dbd2d3 - Patch

13 Sep 2024, 14:06

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bonding: cambiar ipsec_lock de spin lock a mutex en el commit citado, se agrega bond-&gt;ipsec_lock para proteger ipsec_list, por lo tanto, se llaman xdo_dev_state_add y xdo_dev_state_delete dentro de este bloqueo. Como ipsec_lock es un spin lock y tales operaciones xfrmdev pueden dormir, se activará "programación mientras es atómica" al cambiar el esclavo activo de bond. [ 101.055189] ERROR: programación mientras es atómica: bash/902/0x00000200 [ 101.055726] Módulos vinculados en: [ 101.058211] CPU: 3 PID: 902 Comm: bash No contaminado 6.9.0-rc4+ #1 [ 101.058760] Nombre del hardware: [ 101.059434] Seguimiento de llamadas: [ 101.059436] [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? opción_almacenamiento_sysfs_bonding+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] cambio_enlace_esclavo_activo+0x392/0x900 [enlace] [ 101.069868] opción_enlace_esclavo_activo_conjunto+0x1c2/0x240 [enlace] [ 101.070454] __opción_enlace_conjunto+0xa6/0x430 [enlace] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [vinculación] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [vinculación] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [vinculación] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 Como bond_ipsec_add_sa_all y bond_ipsec_del_sa_all solo se llaman desde bond_change_active_slave, que requiere mantener el bloqueo RTNL. Y bond_ipsec_add_sa y bond_ipsec_del_sa son API xdo_dev_state_add y xdo_dev_state_delete de estado xfrm, que están en el contexto del usuario. Por lo tanto, ipsec_lock no tiene que ser un bloqueo de giro; cámbielo a mutex y, por lo tanto, se puede resolver el problema anterior.

13 Sep 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-13 06:15

Updated : 2024-09-23 14:44


NVD link : CVE-2024-46678

Mitre link : CVE-2024-46678

CVE.ORG link : CVE-2024-46678


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-667

Improper Locking