Bug 2297589 (CVE-2024-41005) - CVE-2024-41005 kernel: netpoll: Fix race condition in netpoll_owner_active
Summary: CVE-2024-41005 kernel: netpoll: Fix race condition in netpoll_owner_active
Keywords:
Status: NEW
Alias: CVE-2024-41005
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2314656
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-12 13:50 UTC by OSIDB Bzimport
Modified: 2024-11-07 15:10 UTC (History)
5 users (show)

Fixed In Version: kernel 5.10.221, kernel 5.15.162, kernel 6.1.96, kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:7043 0 None None None 2024-09-24 09:43:12 UTC
Red Hat Product Errata RHBA-2024:7198 0 None None None 2024-09-26 09:50:53 UTC
Red Hat Product Errata RHBA-2024:7236 0 None None None 2024-09-26 14:33:25 UTC
Red Hat Product Errata RHBA-2024:7637 0 None None None 2024-10-03 14:46:01 UTC
Red Hat Product Errata RHBA-2024:8227 0 None None None 2024-10-17 06:46:04 UTC
Red Hat Product Errata RHBA-2024:9014 0 None None None 2024-11-07 15:10:51 UTC
Red Hat Product Errata RHSA-2024:7000 0 None None None 2024-09-24 02:34:40 UTC
Red Hat Product Errata RHSA-2024:7001 0 None None None 2024-09-24 00:39:23 UTC
Red Hat Product Errata RHSA-2024:8617 0 None None None 2024-10-30 01:26:44 UTC

Description OSIDB Bzimport 2024-07-12 13:50:49 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netpoll: Fix race condition in netpoll_owner_active

KCSAN detected a race condition in netpoll:

	BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb
	write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:
	net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
<snip>
	read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:
	netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)
	netpoll_send_udp (net/core/netpoll.c:?)
<snip>
	value changed: 0x0000000a -> 0xffffffff

This happens because netpoll_owner_active() needs to check if the
current CPU is the owner of the lock, touching napi->poll_owner
non atomically. The ->poll_owner field contains the current CPU holding
the lock.

Use an atomic read to check if the poll owner is the current CPU.
Comment 131 errata-xmlrpc 2024-09-24 00:39:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7001 https://access.redhat.com/errata/RHSA-2024:7001
Comment 132 errata-xmlrpc 2024-09-24 02:34:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7000 https://access.redhat.com/errata/RHSA-2024:7000
Comment 133 errata-xmlrpc 2024-10-30 01:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8617 https://access.redhat.com/errata/RHSA-2024:8617
Note You need to log in before you can comment on or make changes to this bug.