Use After Free Affecting kernel-core package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL9-KERNELCORE-7737073
- published 21 Aug 2024
- disclosed 17 Aug 2024
Introduced: 17 Aug 2024
CVE-2024-42302 Open this link in a new tabHow to fix?
There is no fixed version for RHEL:9 kernel-core.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-core package and not the kernel-core package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy:
The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops.
That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.)
However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected.
Add the missing reference acquisition.
Abridged stack trace:
BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()
References
- https://access.redhat.com/security/cve/CVE-2024-42302
- https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed
- https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7
- https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
- https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62
- https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d
- https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da