Bug 2265656 (CVE-2024-26587)

Summary: CVE-2024-26587 kernel: netdevsim: don't try to destroy PHC on VFs
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kzhang, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rkeshri, rparrazo, rrobaina, rvrbovsk, scweaver, sukulkar, tglozar, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.8-rc1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2265667    
Bug Blocks: 2265643    

Description Patrick Del Bello 2024-02-23 13:51:07 UTC 
net: netdevsim: don't try to destroy PHC on VFs

PHC gets initialized in nsim_init_netdevsim(), which
is only called if (nsim_dev_port_is_pf()).

Create a counterpart of nsim_init_netdevsim() and
move the mock_phc_destroy() there.

This fixes a crash trying to destroy netdevsim with
VFs instantiated, as caught by running the devlink.sh test:

    BUG: kernel NULL pointer dereference, address: 00000000000000b8
    RIP: 0010:mock_phc_destroy+0xd/0x30
    Call Trace:
     <TASK>
     nsim_destroy+0x4a/0x70 [netdevsim]
     __nsim_dev_port_del+0x47/0x70 [netdevsim]
     nsim_dev_reload_destroy+0x105/0x120 [netdevsim]
     nsim_drv_remove+0x2f/0xb0 [netdevsim]
     device_release_driver_internal+0x1a1/0x210
     bus_remove_device+0xd5/0x120
     device_del+0x159/0x490
     device_unregister+0x12/0x30
     del_device_store+0x11a/0x1a0 [netdevsim]
     kernfs_fop_write_iter+0x130/0x1d0
     vfs_write+0x30b/0x4b0
     ksys_write+0x69/0xf0
     do_syscall_64+0xcc/0x1e0
Comment 1 Patrick Del Bello 2024-02-23 14:39:23 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265667]
Comment 3 Justin M. Forbes 2024-02-27 00:29:57 UTC 
	Issue introduced in 6.6 with commit b63e78fca889 and fixed in 6.6.14 with commit 08aca65997fb
	Issue introduced in 6.6 with commit b63e78fca889 and fixed in 6.7.2 with commit c5068e442eed
	Issue introduced in 6.6 with commit b63e78fca889 and fixed in 6.8-rc1 with commit ea937f772083
Comment 4 Justin M. Forbes 2024-02-27 00:30:29 UTC 
This was fixed for Fedora with the 6.6.14 stable kernel updates.
Comment 9 Alex 2024-06-09 12:33:50 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-26587 is: 	SKIP	The Fixes patch not applied yet, so unlikely that actual: b63e78fca889e07931ec8f259701718a24e5052e	YES			NO	NO	unknown (where first YES/NO value means if related sources built).