Bug 2271795 (CVE-2024-26650) - CVE-2024-26650 kernel: p2sb_bar() calls during PCI device probe
Summary: CVE-2024-26650 kernel: p2sb_bar() calls during PCI device probe
Keywords:
Status: NEW
Alias: CVE-2024-26650
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2271798
Blocks: 2271799 2271782
TreeView+ depends on / blocked
 
Reported: 2024-03-27 11:40 UTC by Rohit Keshri
Modified: 2024-12-02 11:01 UTC (History)
50 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:9315 0 None None None 2024-11-12 09:21:03 UTC

Description Rohit Keshri 2024-03-27 11:40:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe

p2sb_bar() unhides P2SB device to get resources from the device. It
guards the operation by locking pci_rescan_remove_lock so that parallel
rescans do not find the P2SB device. However, this lock causes deadlock
when PCI bus rescan is triggered by /sys/bus/pci/rescan. The rescan
locks pci_rescan_remove_lock and probes PCI devices. When PCI devices
call p2sb_bar() during probe, it locks pci_rescan_remove_lock again.
Hence the deadlock.

To avoid the deadlock, do not lock pci_rescan_remove_lock in p2sb_bar().
Instead, do the lock at fs_initcall. Introduce p2sb_cache_resources()
for fs_initcall which gets and caches the P2SB resources. At p2sb_bar(),
refer the cache and return to the caller.

Before operating the device at P2SB DEVFN for resource cache, check
that its device class is PCI_CLASS_MEMORY_OTHER 0x0580 that PCH
specifications define. This avoids unexpected operation to other devices
at the same DEVFN.

Tested-by Klara Modin <klarasmodin>

https://git.kernel.org/stable/c/2841631a03652f32b595c563695d0461072e0de4
https://git.kernel.org/stable/c/5913320eb0b3ec88158cfcb0fa5e996bf4ef681b
https://git.kernel.org/stable/c/847e1eb30e269a094da046c08273abe3f3361cf2
https://git.kernel.org/stable/c/d281ac9a987c553d93211b90fd4fe97d8eca32cd
Comment 1 Rohit Keshri 2024-03-27 11:47:19 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2271798]
Comment 4 Justin M. Forbes 2024-03-27 20:27:13 UTC 
This was fixed for Fedora with the 6.7.3 stable kernel updates.
Comment 6 Alex 2024-06-09 16:34:32 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-26650 is: CHECK	Maybe valid. Check manually. with impact LOW (that is an approximation based on flags DEADLOCK INIT IMPROVEONLY  ; these flags parsed automatically based on patch data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.
Comment 7 errata-xmlrpc 2024-11-12 09:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9315 https://access.redhat.com/errata/RHSA-2024:9315
Comment 8 TEJ RATHI 2024-12-02 11:01:24 UTC 
This CVE has been rejected upstream:- https://lore.kernel.org/linux-cve-announce/2024052359-REJECTED-006a@gregkh/
Note You need to log in before you can comment on or make changes to this bug.