4.4

CVE-2023-52617

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

In the Linux kernel, the following vulnerability has been resolved:

PCI: switchtec: Fix stdev_release() crash after surprise hot remove

A PCI device hot removal may occur while stdev->cdev is held open. The call
to stdev_release() then happens during close or exit, at a point way past
switchtec_pci_remove(). Otherwise the last ref would vanish with the
trailing put_device(), just before return.

At that later point in time, the devm cleanup has already removed the
stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
a fatal page fault, and the subsequent dma_free_coherent(), if reached,
would pass a stale &stdev->pdev->dev pointer.

Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
future accidents.

Reproducible via the script at
https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 5.4.269
LinuxLinux Kernel Version >= 5.5 < 5.10.210
LinuxLinux Kernel Version >= 5.11 < 5.15.149
LinuxLinux Kernel Version >= 5.16 < 6.1.77
LinuxLinux Kernel Version >= 6.2 < 6.6.16
LinuxLinux Kernel Version >= 6.7 < 6.7.4
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.146
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.4 0.8 3.6
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE-459 Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Third Party Advisory
Mailing List
https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3
Patch
https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a
Patch
https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c
Patch
https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355
Patch
https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66
Patch
https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693
Patch
https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
Patch