Bug 2297540 (CVE-2024-40956) - CVE-2024-40956 kernel: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Summary: CVE-2024-40956 kernel: dmaengine: idxd: Fix possible Use-After-Free in irq_pr...
Keywords:
Status: NEW
Alias: CVE-2024-40956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-12 13:40 UTC by OSIDB Bzimport
Modified: 2024-09-23 02:08 UTC (History)
4 users (show)

Fixed In Version: kernel 5.15.162, kernel 6.1.96, kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc5
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's DMA engine component in the irq_process_work_list() function, where a possible use-after-free condition can occur during list iteration, which caused because a descriptor may be freed while another thread is reusing it, potentially leading to access of freed memory.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6267 0 None None None 2024-09-04 00:25:39 UTC
Red Hat Product Errata RHSA-2024:6268 0 None None None 2024-09-04 00:11:40 UTC

Description OSIDB Bzimport 2024-07-12 13:40:11 UTC
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.

Comment 11 errata-xmlrpc 2024-09-04 00:11:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6268 https://access.redhat.com/errata/RHSA-2024:6268

Comment 12 errata-xmlrpc 2024-09-04 00:25:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6267 https://access.redhat.com/errata/RHSA-2024:6267


Note You need to log in before you can comment on or make changes to this bug.