Bug 2297540 (CVE-2024-40956)

Summary: CVE-2024-40956 kernel: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.15.162, kernel 6.1.96, kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc5 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's DMA engine component in the irq_process_work_list() function, where a possible use-after-free condition can occur during list iteration, which caused because a descriptor may be freed while another thread is reusing it, potentially leading to access of freed memory.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-07-12 13:40:11 UTC
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.

Comment 11 errata-xmlrpc 2024-09-04 00:11:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6268 https://access.redhat.com/errata/RHSA-2024:6268

Comment 12 errata-xmlrpc 2024-09-04 00:25:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6267 https://access.redhat.com/errata/RHSA-2024:6267