cve-2024-26724
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2024-12-19 08:45
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers I managed to hit following use after free warning recently: [ 2169.711665] ================================================================== [ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0 [ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0 [ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2 [ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2169.722457] Call Trace: [ 2169.722756] <IRQ> [ 2169.723024] dump_stack_lvl+0x58/0xb0 [ 2169.723417] print_report+0xc5/0x630 [ 2169.723807] ? __virt_addr_valid+0x126/0x2b0 [ 2169.724268] kasan_report+0xbe/0xf0 [ 2169.724667] ? __run_timers.part.0+0x179/0x4c0 [ 2169.725116] ? __run_timers.part.0+0x179/0x4c0 [ 2169.725570] __run_timers.part.0+0x179/0x4c0 [ 2169.726003] ? call_timer_fn+0x320/0x320 [ 2169.726404] ? lock_downgrade+0x3a0/0x3a0 [ 2169.726820] ? kvm_clock_get_cycles+0x14/0x20 [ 2169.727257] ? ktime_get+0x92/0x150 [ 2169.727630] ? lapic_next_deadline+0x35/0x60 [ 2169.728069] run_timer_softirq+0x40/0x80 [ 2169.728475] __do_softirq+0x1a1/0x509 [ 2169.728866] irq_exit_rcu+0x95/0xc0 [ 2169.729241] sysvec_apic_timer_interrupt+0x6b/0x80 [ 2169.729718] </IRQ> [ 2169.729993] <TASK> [ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 2169.730755] RIP: 0010:default_idle+0x13/0x20 [ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00 [ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242 [ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62 [ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55 [ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14 [ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0 [ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200 [ 2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0 [ 2169.736954] ? do_idle+0x285/0x290 [ 2169.737323] default_idle_call+0x63/0x90 [ 2169.737730] do_idle+0x285/0x290 [ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30 [ 2169.738511] ? mark_held_locks+0x1a/0x80 [ 2169.738917] ? lockdep_hardirqs_on_prepare+0x12e/0x200 [ 2169.739417] cpu_startup_entry+0x30/0x40 [ 2169.739825] start_secondary+0x19a/0x1c0 [ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0 [ 2169.740673] secondary_startup_64_no_verify+0x15d/0x16b [ 2169.741179] </TASK> [ 2169.741686] Allocated by task 1098: [ 2169.742058] kasan_save_stack+0x1c/0x40 [ 2169.742456] kasan_save_track+0x10/0x30 [ 2169.742852] __kasan_kmalloc+0x83/0x90 [ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll] [ 2169.743730] auxiliary_bus_probe+0x62/0xb0 [ 2169.744148] really_probe+0x127/0x590 [ 2169.744534] __driver_probe_device+0xd2/0x200 [ 2169.744973] device_driver_attach+0x6b/0xf0 [ 2169.745402] bind_store+0x90/0xe0 [ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0 [ 2169.746210] vfs_write+0x41f/0x790 [ 2169.746579] ksys_write+0xc7/0x160 [ 2169.746947] do_syscall_64+0x6f/0x140 [ 2169.747333] entry_SYSCALL_64_after_hwframe+0x46/0x4e [ 2169.748049] Freed by task 1220: [ 2169.748393] kasan_save_stack+0x1c/0x40 [ 2169.748789] kasan_save_track+0x10/0x30 [ 2169.749188] kasan_save_free_info+0x3b/0x50 [ 2169.749621] poison_slab_object+0x106/0x180 [ 2169.750044] __kasan_slab_free+0x14/0x50 [ 2169.750451] kfree+0x118/0x330 [ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll] [ 2169.751271] auxiliary_bus_remove+0x2e/0x40 [ 2169.751694] device_release_driver_internal+0x24b/0x2e0 [ 2169.752191] unbind_store+0xa6/0xb0 [ 2169.752563] kernfs_fo ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685Patch
Impacted products
Vendor Product Version
Linux Linux Version: 496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d
Version: 496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d
 Create a notification for this product.
   Linux Linux Version: 6.7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-26724",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-04-05T17:56:55.554456Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:49:11.438Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T00:14:12.956Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "drivers/net/ethernet/mellanox/mlx5/core/dpll.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "1596126ea50228f0ed96697bae4e9368fda02c56",
                     status: "affected",
                     version: "496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d",
                     versionType: "git",
                  },
                  {
                     lessThan: "aa1eec2f546f2afa8c98ec41e5d8ee488165d685",
                     status: "affected",
                     version: "496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "drivers/net/ethernet/mellanox/mlx5/core/dpll.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "6.7",
                  },
                  {
                     lessThan: "6.7",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.7.*",
                     status: "unaffected",
                     version: "6.7.6",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.8",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\n\nI managed to hit following use after free warning recently:\n\n[ 2169.711665] ==================================================================\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\n\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2169.722457] Call Trace:\n[ 2169.722756]  <IRQ>\n[ 2169.723024]  dump_stack_lvl+0x58/0xb0\n[ 2169.723417]  print_report+0xc5/0x630\n[ 2169.723807]  ? __virt_addr_valid+0x126/0x2b0\n[ 2169.724268]  kasan_report+0xbe/0xf0\n[ 2169.724667]  ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725116]  ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725570]  __run_timers.part.0+0x179/0x4c0\n[ 2169.726003]  ? call_timer_fn+0x320/0x320\n[ 2169.726404]  ? lock_downgrade+0x3a0/0x3a0\n[ 2169.726820]  ? kvm_clock_get_cycles+0x14/0x20\n[ 2169.727257]  ? ktime_get+0x92/0x150\n[ 2169.727630]  ? lapic_next_deadline+0x35/0x60\n[ 2169.728069]  run_timer_softirq+0x40/0x80\n[ 2169.728475]  __do_softirq+0x1a1/0x509\n[ 2169.728866]  irq_exit_rcu+0x95/0xc0\n[ 2169.729241]  sysvec_apic_timer_interrupt+0x6b/0x80\n[ 2169.729718]  </IRQ>\n[ 2169.729993]  <TASK>\n[ 2169.730259]  asm_sysvec_apic_timer_interrupt+0x16/0x20\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\n[ 2169.736478]  ? ct_kernel_exit.constprop.0+0xa2/0xc0\n[ 2169.736954]  ? do_idle+0x285/0x290\n[ 2169.737323]  default_idle_call+0x63/0x90\n[ 2169.737730]  do_idle+0x285/0x290\n[ 2169.738089]  ? arch_cpu_idle_exit+0x30/0x30\n[ 2169.738511]  ? mark_held_locks+0x1a/0x80\n[ 2169.738917]  ? lockdep_hardirqs_on_prepare+0x12e/0x200\n[ 2169.739417]  cpu_startup_entry+0x30/0x40\n[ 2169.739825]  start_secondary+0x19a/0x1c0\n[ 2169.740229]  ? set_cpu_sibling_map+0xbd0/0xbd0\n[ 2169.740673]  secondary_startup_64_no_verify+0x15d/0x16b\n[ 2169.741179]  </TASK>\n\n[ 2169.741686] Allocated by task 1098:\n[ 2169.742058]  kasan_save_stack+0x1c/0x40\n[ 2169.742456]  kasan_save_track+0x10/0x30\n[ 2169.742852]  __kasan_kmalloc+0x83/0x90\n[ 2169.743246]  mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\n[ 2169.743730]  auxiliary_bus_probe+0x62/0xb0\n[ 2169.744148]  really_probe+0x127/0x590\n[ 2169.744534]  __driver_probe_device+0xd2/0x200\n[ 2169.744973]  device_driver_attach+0x6b/0xf0\n[ 2169.745402]  bind_store+0x90/0xe0\n[ 2169.745761]  kernfs_fop_write_iter+0x1df/0x2a0\n[ 2169.746210]  vfs_write+0x41f/0x790\n[ 2169.746579]  ksys_write+0xc7/0x160\n[ 2169.746947]  do_syscall_64+0x6f/0x140\n[ 2169.747333]  entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\n[ 2169.748049] Freed by task 1220:\n[ 2169.748393]  kasan_save_stack+0x1c/0x40\n[ 2169.748789]  kasan_save_track+0x10/0x30\n[ 2169.749188]  kasan_save_free_info+0x3b/0x50\n[ 2169.749621]  poison_slab_object+0x106/0x180\n[ 2169.750044]  __kasan_slab_free+0x14/0x50\n[ 2169.750451]  kfree+0x118/0x330\n[ 2169.750792]  mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\n[ 2169.751271]  auxiliary_bus_remove+0x2e/0x40\n[ 2169.751694]  device_release_driver_internal+0x24b/0x2e0\n[ 2169.752191]  unbind_store+0xa6/0xb0\n[ 2169.752563]  kernfs_fo\n---truncated---",
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-12-19T08:45:54.253Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56",
            },
            {
               url: "https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685",
            },
         ],
         title: "net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2024-26724",
      datePublished: "2024-04-03T14:55:23.349Z",
      dateReserved: "2024-02-19T14:20:24.163Z",
      dateUpdated: "2024-12-19T08:45:54.253Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-26724\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-03T15:15:54.203\",\"lastModified\":\"2025-02-27T14:34:43.180\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\\n\\nI managed to hit following use after free warning recently:\\n\\n[ 2169.711665] ==================================================================\\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\\n\\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[ 2169.722457] Call Trace:\\n[ 2169.722756]  <IRQ>\\n[ 2169.723024]  dump_stack_lvl+0x58/0xb0\\n[ 2169.723417]  print_report+0xc5/0x630\\n[ 2169.723807]  ? __virt_addr_valid+0x126/0x2b0\\n[ 2169.724268]  kasan_report+0xbe/0xf0\\n[ 2169.724667]  ? __run_timers.part.0+0x179/0x4c0\\n[ 2169.725116]  ? __run_timers.part.0+0x179/0x4c0\\n[ 2169.725570]  __run_timers.part.0+0x179/0x4c0\\n[ 2169.726003]  ? call_timer_fn+0x320/0x320\\n[ 2169.726404]  ? lock_downgrade+0x3a0/0x3a0\\n[ 2169.726820]  ? kvm_clock_get_cycles+0x14/0x20\\n[ 2169.727257]  ? ktime_get+0x92/0x150\\n[ 2169.727630]  ? lapic_next_deadline+0x35/0x60\\n[ 2169.728069]  run_timer_softirq+0x40/0x80\\n[ 2169.728475]  __do_softirq+0x1a1/0x509\\n[ 2169.728866]  irq_exit_rcu+0x95/0xc0\\n[ 2169.729241]  sysvec_apic_timer_interrupt+0x6b/0x80\\n[ 2169.729718]  </IRQ>\\n[ 2169.729993]  <TASK>\\n[ 2169.730259]  asm_sysvec_apic_timer_interrupt+0x16/0x20\\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\\n[ 2169.736478]  ? ct_kernel_exit.constprop.0+0xa2/0xc0\\n[ 2169.736954]  ? do_idle+0x285/0x290\\n[ 2169.737323]  default_idle_call+0x63/0x90\\n[ 2169.737730]  do_idle+0x285/0x290\\n[ 2169.738089]  ? arch_cpu_idle_exit+0x30/0x30\\n[ 2169.738511]  ? mark_held_locks+0x1a/0x80\\n[ 2169.738917]  ? lockdep_hardirqs_on_prepare+0x12e/0x200\\n[ 2169.739417]  cpu_startup_entry+0x30/0x40\\n[ 2169.739825]  start_secondary+0x19a/0x1c0\\n[ 2169.740229]  ? set_cpu_sibling_map+0xbd0/0xbd0\\n[ 2169.740673]  secondary_startup_64_no_verify+0x15d/0x16b\\n[ 2169.741179]  </TASK>\\n\\n[ 2169.741686] Allocated by task 1098:\\n[ 2169.742058]  kasan_save_stack+0x1c/0x40\\n[ 2169.742456]  kasan_save_track+0x10/0x30\\n[ 2169.742852]  __kasan_kmalloc+0x83/0x90\\n[ 2169.743246]  mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\\n[ 2169.743730]  auxiliary_bus_probe+0x62/0xb0\\n[ 2169.744148]  really_probe+0x127/0x590\\n[ 2169.744534]  __driver_probe_device+0xd2/0x200\\n[ 2169.744973]  device_driver_attach+0x6b/0xf0\\n[ 2169.745402]  bind_store+0x90/0xe0\\n[ 2169.745761]  kernfs_fop_write_iter+0x1df/0x2a0\\n[ 2169.746210]  vfs_write+0x41f/0x790\\n[ 2169.746579]  ksys_write+0xc7/0x160\\n[ 2169.746947]  do_syscall_64+0x6f/0x140\\n[ 2169.747333]  entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n\\n[ 2169.748049] Freed by task 1220:\\n[ 2169.748393]  kasan_save_stack+0x1c/0x40\\n[ 2169.748789]  kasan_save_track+0x10/0x30\\n[ 2169.749188]  kasan_save_free_info+0x3b/0x50\\n[ 2169.749621]  poison_slab_object+0x106/0x180\\n[ 2169.750044]  __kasan_slab_free+0x14/0x50\\n[ 2169.750451]  kfree+0x118/0x330\\n[ 2169.750792]  mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\\n[ 2169.751271]  auxiliary_bus_remove+0x2e/0x40\\n[ 2169.751694]  device_release_driver_internal+0x24b/0x2e0\\n[ 2169.752191]  unbind_store+0xa6/0xb0\\n[ 2169.752563]  kernfs_fo\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/mlx5: DPLL, corrige el posible uso después de la activación del temporizador de trabajo retrasado después de la liberación. Logré alcanzar el siguiente uso después de la advertencia de la liberación gratuita recientemente: [2169.711665] ======== ==================================================== ======== [2169.714009] ERROR: KASAN: slab-use-after-free en __run_timers.part.0+0x179/0x4c0 [2169.716293] Escritura de tamaño 8 en la dirección ffff88812b326a70 mediante task swapper/4/0 [ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 No contaminado 6.8.0-rc2jiri+ #2 [2169.720974] Nombre de hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02- prebuilt.qemu.org 01/04/2014 [2169.722457] Seguimiento de llamadas: [2169.722756]  [2169.723024] dump_stack_lvl+0x58/0xb0 [2169.723417] print_report+0xc5/0x630 [2169.72 3807] ? __virt_addr_valid+0x126/0x2b0 [ 2169.724268] kasan_report+0xbe/0xf0 [ 2169.724667] ? __run_timers.part.0+0x179/0x4c0 [2169.725116]? __run_timers.part.0+0x179/0x4c0 [2169.725570] __run_timers.part.0+0x179/0x4c0 [2169.726003]? call_timer_fn+0x320/0x320 [2169.726404]? lock_downgrade+0x3a0/0x3a0 [2169.726820]? kvm_clock_get_cycles+0x14/0x20 [2169.727257]? ktime_get+0x92/0x150 [2169.727630]? lapic_next_deadline+0x35/0x60 [ 2169.728069] run_timer_softirq+0x40/0x80 [ 2169.728475] __do_softirq+0x1a1/0x509 [ 2169.728866] irq_exit_rcu+0x95/0xc0 [ 2169.7 29241] sysvec_apic_timer_interrupt+0x6b/0x80 [ 2169.729718]  [ 2169.729993]  [ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 2169.730755] RIP: 0010:default_idle+0x13/0x20 [ 2169.731190] Código: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4  c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00 [ 2169.732759 ] RSP: 0018:ffff888100dbfe10 EFLAGS : 00000242 [ 2169.733264] RAX: 00000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62 [ 2169.733925] RDX: ffffed109a848b15 RSI: 000000000 0000004 RDI: ffffffff8127ac55 [ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14 [ 2169.735200] R10: ffff8884d4245 8a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0 [2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200 [2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0 [2169.736954]? do_idle+0x285/0x290 [ 2169.737323] default_idle_call+0x63/0x90 [ 2169.737730] do_idle+0x285/0x290 [ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30 [2169.738511]? mark_held_locks+0x1a/0x80 [2169.738917]? lockdep_hardirqs_on_prepare+0x12e/0x200 [ 2169.739417] cpu_startup_entry+0x30/0x40 [ 2169.739825] start_secondary+0x19a/0x1c0 [ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0 [ 2169.740673] second_startup_64_no_verify+0x15d/0x16b [ 2169.741179]  [ 2169.741686] Asignado por la tarea 1098: [ 2169.742058] kasan_save_s tachuela+0x1c/0x40 [ 2169.742456] kasan_save_track+0x10/0x30 [ 2169.742852] __kasan_kmalloc+0x83 /0x90 [ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll] [ 2169.743730] sonda_bus_auxiliar+0x62/0xb0 [ 2169.744148] sonda_real+0x127/0x590 [ 2169.744534] __driver_probe_device+0xd2/0x200 [ 2169.744973] dispositivo_driver_attach+0x6b/0xf0 [ 2169.745402] bind_store+ 0x90/0xe0 [ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0 [ 2169.746210] vfs_write+0x41f/0x790 [ 2169.746579] ksys_write+0xc7/0x160 [ 2169.746947 ] do_syscall_64+0x6f/0x140 [ 2169.747333] Entry_SYSCALL_64_after_hwframe+0x46/0x4e [ 2169.748049] Liberado por la tarea 1220 : [ 2169.748393] kasan_save_stack+0x1c/0x40 [ 2169.748789] kasan_save_track+0x10/0x30 [ 2169.749188] kasan_save_free_info+0x3b/0x50 [ 2169.749621] veneno_slab_object+0x106 /0x180 [ 2169.750044] __kasan_slab_free+0x14/0x50 [ 2169.750451] kfree+0x118/0x330 [ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll] [ 2169.751271] auxiliar_bus_remove+0x2e/0x40 ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.6\",\"matchCriteriaId\":\"C6D6A5C8-7308-42A9-8A72-ABF3DEA4BB82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9F4EA73-0894-400F-A490-3A397AB7A517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"056BD938-0A27-4569-B391-30578B309EE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F02056A5-B362-4370-9FF8-6F0BD384D520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"62075ACE-B2A0-4B16-829D-B3DA5AE5CC41\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:12.956Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26724\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-05T17:56:55.554456Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.289Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d\", \"lessThan\": \"1596126ea50228f0ed96697bae4e9368fda02c56\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"496fd0a26bbf73b6b12407ee4fbe5ff49d659a6d\", \"lessThan\": \"aa1eec2f546f2afa8c98ec41e5d8ee488165d685\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/mellanox/mlx5/core/dpll.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.7.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/mellanox/mlx5/core/dpll.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/1596126ea50228f0ed96697bae4e9368fda02c56\"}, {\"url\": \"https://git.kernel.org/stable/c/aa1eec2f546f2afa8c98ec41e5d8ee488165d685\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\\n\\nI managed to hit following use after free warning recently:\\n\\n[ 2169.711665] ==================================================================\\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\\n\\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[ 2169.722457] Call Trace:\\n[ 2169.722756]  <IRQ>\\n[ 2169.723024]  dump_stack_lvl+0x58/0xb0\\n[ 2169.723417]  print_report+0xc5/0x630\\n[ 2169.723807]  ? __virt_addr_valid+0x126/0x2b0\\n[ 2169.724268]  kasan_report+0xbe/0xf0\\n[ 2169.724667]  ? __run_timers.part.0+0x179/0x4c0\\n[ 2169.725116]  ? __run_timers.part.0+0x179/0x4c0\\n[ 2169.725570]  __run_timers.part.0+0x179/0x4c0\\n[ 2169.726003]  ? call_timer_fn+0x320/0x320\\n[ 2169.726404]  ? lock_downgrade+0x3a0/0x3a0\\n[ 2169.726820]  ? kvm_clock_get_cycles+0x14/0x20\\n[ 2169.727257]  ? ktime_get+0x92/0x150\\n[ 2169.727630]  ? lapic_next_deadline+0x35/0x60\\n[ 2169.728069]  run_timer_softirq+0x40/0x80\\n[ 2169.728475]  __do_softirq+0x1a1/0x509\\n[ 2169.728866]  irq_exit_rcu+0x95/0xc0\\n[ 2169.729241]  sysvec_apic_timer_interrupt+0x6b/0x80\\n[ 2169.729718]  </IRQ>\\n[ 2169.729993]  <TASK>\\n[ 2169.730259]  asm_sysvec_apic_timer_interrupt+0x16/0x20\\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\\n[ 2169.736478]  ? ct_kernel_exit.constprop.0+0xa2/0xc0\\n[ 2169.736954]  ? do_idle+0x285/0x290\\n[ 2169.737323]  default_idle_call+0x63/0x90\\n[ 2169.737730]  do_idle+0x285/0x290\\n[ 2169.738089]  ? arch_cpu_idle_exit+0x30/0x30\\n[ 2169.738511]  ? mark_held_locks+0x1a/0x80\\n[ 2169.738917]  ? lockdep_hardirqs_on_prepare+0x12e/0x200\\n[ 2169.739417]  cpu_startup_entry+0x30/0x40\\n[ 2169.739825]  start_secondary+0x19a/0x1c0\\n[ 2169.740229]  ? set_cpu_sibling_map+0xbd0/0xbd0\\n[ 2169.740673]  secondary_startup_64_no_verify+0x15d/0x16b\\n[ 2169.741179]  </TASK>\\n\\n[ 2169.741686] Allocated by task 1098:\\n[ 2169.742058]  kasan_save_stack+0x1c/0x40\\n[ 2169.742456]  kasan_save_track+0x10/0x30\\n[ 2169.742852]  __kasan_kmalloc+0x83/0x90\\n[ 2169.743246]  mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\\n[ 2169.743730]  auxiliary_bus_probe+0x62/0xb0\\n[ 2169.744148]  really_probe+0x127/0x590\\n[ 2169.744534]  __driver_probe_device+0xd2/0x200\\n[ 2169.744973]  device_driver_attach+0x6b/0xf0\\n[ 2169.745402]  bind_store+0x90/0xe0\\n[ 2169.745761]  kernfs_fop_write_iter+0x1df/0x2a0\\n[ 2169.746210]  vfs_write+0x41f/0x790\\n[ 2169.746579]  ksys_write+0xc7/0x160\\n[ 2169.746947]  do_syscall_64+0x6f/0x140\\n[ 2169.747333]  entry_SYSCALL_64_after_hwframe+0x46/0x4e\\n\\n[ 2169.748049] Freed by task 1220:\\n[ 2169.748393]  kasan_save_stack+0x1c/0x40\\n[ 2169.748789]  kasan_save_track+0x10/0x30\\n[ 2169.749188]  kasan_save_free_info+0x3b/0x50\\n[ 2169.749621]  poison_slab_object+0x106/0x180\\n[ 2169.750044]  __kasan_slab_free+0x14/0x50\\n[ 2169.750451]  kfree+0x118/0x330\\n[ 2169.750792]  mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\\n[ 2169.751271]  auxiliary_bus_remove+0x2e/0x40\\n[ 2169.751694]  device_release_driver_internal+0x24b/0x2e0\\n[ 2169.752191]  unbind_store+0xa6/0xb0\\n[ 2169.752563]  kernfs_fo\\n---truncated---\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T08:45:54.253Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-26724\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T08:45:54.253Z\", \"dateReserved\": \"2024-02-19T14:20:24.163Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-03T14:55:23.349Z\", \"assignerShortName\": \"Linux\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.