GHSA-7C8X-XJQV-R325

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-08-01 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: marvell: prestera: fix port event handling on init

For some reason there might be a crash during ports creation if port events are handling at the same time because fw may send initial port event with down state.

The crash points to cancel_delayed_work() which is called when port went is down. Currently I did not find out the real cause of the issue, so fixed it by cancel port stats work only if previous port's state was up & runnig.

The following is the crash which can be triggered:

[ 28.311104] Unable to handle kernel paging request at virtual address 000071775f776600 [ 28.319097] Mem abort info: [ 28.321914] ESR = 0x96000004 [ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits [ 28.330350] SET = 0, FnV = 0 [ 28.333430] EA = 0, S1PTW = 0 [ 28.336597] Data abort info: [ 28.339499] ISV = 0, ISS = 0x00000004 [ 28.343362] CM = 0, WnR = 0 [ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000 [ 28.352842] [000071775f776600] pgd=0000000000000000, p4d=0000000000000000 [ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 28.365310] Modules linked in: prestera_pci(+) prestera uio_pdrv_genirq [ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted 5.11.0-rc4 #1 [ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn [prestera_pci] [ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--) [ 28.397468] pc : get_work_pool+0x48/0x60 [ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0 [ 28.406018] sp : ffff80001391bc60 [ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000 [ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88 [ 28.420089] x25: 0000000000000000 x24: ffff000106119760 [ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000 [ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0 [ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0 [ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88 [ 28.446898] x15: 0000000000000001 x14: 00000000000002ba [ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4 [ 28.457622] x11: 0000000000000030 x10: 000000000000000c [ 28.462985] x9 : 000000000000000c x8 : 0000000000000030 [ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758 [ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60 [ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060 [ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8 [ 28.489791] Call trace: [ 28.492259] get_work_pool+0x48/0x60 [ 28.495874] cancel_delayed_work+0x38/0xb0 [ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera] [ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera] [ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci] [ 28.516660] process_one_work+0x1e8/0x360 [ 28.520710] worker_thread+0x44/0x480 [ 28.524412] kthread+0x154/0x160 [ 28.527670] ret_from_fork+0x10/0x38 [ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020) [ 28.537429] ---[ end trace 5eced933df3a080b ]---

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:39Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix port event handling on init\n\nFor some reason there might be a crash during ports creation if port\nevents are handling at the same time  because fw may send initial\nport event with down state.\n\nThe crash points to cancel_delayed_work() which is called when port went\nis down.  Currently I did not find out the real cause of the issue, so\nfixed it by cancel port stats work only if previous port\u0027s state was up\n\u0026 runnig.\n\nThe following is the crash which can be triggered:\n\n[   28.311104] Unable to handle kernel paging request at virtual address\n000071775f776600\n[   28.319097] Mem abort info:\n[   28.321914]   ESR = 0x96000004\n[   28.324996]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   28.330350]   SET = 0, FnV = 0\n[   28.333430]   EA = 0, S1PTW = 0\n[   28.336597] Data abort info:\n[   28.339499]   ISV = 0, ISS = 0x00000004\n[   28.343362]   CM = 0, WnR = 0\n[   28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000\n[   28.352842] [000071775f776600] pgd=0000000000000000,\np4d=0000000000000000\n[   28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[   28.365310] Modules linked in: prestera_pci(+) prestera\nuio_pdrv_genirq\n[   28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted\n5.11.0-rc4 #1\n[   28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[   28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn\n[prestera_pci]\n[   28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)\n[   28.397468] pc : get_work_pool+0x48/0x60\n[   28.401442] lr : try_to_grab_pending+0x6c/0x1b0\n[   28.406018] sp : ffff80001391bc60\n[   28.409358] x29: ffff80001391bc60 x28: 0000000000000000\n[   28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88\n[   28.420089] x25: 0000000000000000 x24: ffff000106119760\n[   28.425452] x23: ffff00010775dd60 x22: ffff00010567e000\n[   28.430814] x21: 0000000000000000 x20: ffff80001391bcb0\n[   28.436175] x19: ffff00010775deb8 x18: 00000000000000c0\n[   28.441537] x17: 0000000000000000 x16: 000000008d9b0e88\n[   28.446898] x15: 0000000000000001 x14: 00000000000002ba\n[   28.452261] x13: 80a3002c00000002 x12: 00000000000005f4\n[   28.457622] x11: 0000000000000030 x10: 000000000000000c\n[   28.462985] x9 : 000000000000000c x8 : 0000000000000030\n[   28.468346] x7 : ffff800014400000 x6 : ffff000106119758\n[   28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60\n[   28.479068] x3 : 0000000000000000 x2 : 0000000000000060\n[   28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8\n[   28.489791] Call trace:\n[   28.492259]  get_work_pool+0x48/0x60\n[   28.495874]  cancel_delayed_work+0x38/0xb0\n[   28.500011]  prestera_port_handle_event+0x90/0xa0 [prestera]\n[   28.505743]  prestera_evt_recv+0x98/0xe0 [prestera]\n[   28.510683]  prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci]\n[   28.516660]  process_one_work+0x1e8/0x360\n[   28.520710]  worker_thread+0x44/0x480\n[   28.524412]  kthread+0x154/0x160\n[   28.527670]  ret_from_fork+0x10/0x38\n[   28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020)\n[   28.537429] ---[ end trace 5eced933df3a080b ]---",
  "id": "GHSA-7c8x-xjqv-r325",
  "modified": "2024-08-01T15:31:28Z",
  "published": "2024-02-28T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47023"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ce6052802be2cb61a57b753e41301339c88c839"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/333980481b99edb24ebd5d1a53af70a15d9146de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d1ba11fabdd8f25abb24272ef1621417981320b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5bba6ede42693f50ce1c9944315cefed7491061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.