Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26891

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/04/2024
Last modified:
07/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Don&amp;#39;t issue ATS Invalidation request when device is disconnected<br /> <br /> For those endpoint devices connect to system via hotplug capable ports,<br /> users could request a hot reset to the device by flapping device&amp;#39;s link<br /> through setting the slot&amp;#39;s link control register, as pciehp_ist() DLLSC<br /> interrupt sequence response, pciehp will unload the device driver and<br /> then power it off. thus cause an IOMMU device-TLB invalidation (Intel<br /> VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence<br /> target device to be sent and deadly loop to retry that request after ITE<br /> fault triggered in interrupt context.<br /> <br /> That would cause following continuous hard lockup warning and system hang<br /> <br /> [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down<br /> [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present<br /> [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144<br /> [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S<br /> OE kernel version xxxx<br /> [ 4223.822623] Hardware name: vendorname xxxx 666-106,<br /> BIOS 01.01.02.03.01 05/15/2023<br /> [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490<br /> [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b<br /> 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 f6 c6 1<br /> 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39<br /> [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093<br /> [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005<br /> [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340<br /> [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000<br /> [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200<br /> [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004<br /> [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000)<br /> knlGS:0000000000000000<br /> [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0<br /> [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> [ 4223.822628] PKRU: 55555554<br /> [ 4223.822628] Call Trace:<br /> [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0<br /> [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250<br /> [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50<br /> [ 4223.822629] intel_iommu_release_device+0x1f/0x30<br /> [ 4223.822629] iommu_release_device+0x33/0x60<br /> [ 4223.822629] iommu_bus_notifier+0x7f/0x90<br /> [ 4223.822630] blocking_notifier_call_chain+0x60/0x90<br /> [ 4223.822630] device_del+0x2e5/0x420<br /> [ 4223.822630] pci_remove_bus_device+0x70/0x110<br /> [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130<br /> [ 4223.822631] pciehp_disable_slot+0x6b/0x100<br /> [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320<br /> [ 4223.822631] pciehp_ist+0x176/0x180<br /> [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110<br /> [ 4223.822632] irq_thread_fn+0x19/0x50<br /> [ 4223.822632] irq_thread+0x104/0x190<br /> [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90<br /> [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0<br /> [ 4223.822633] kthread+0x114/0x130<br /> [ 4223.822633] ? __kthread_cancel_work+0x40/0x40<br /> [ 4223.822633] ret_from_fork+0x1f/0x30<br /> [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP<br /> [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S<br /> OE kernel version xxxx<br /> [ 4223.822634] Hardware name: vendorname xxxx 666-106,<br /> BIOS 01.01.02.03.01 05/15/2023<br /> [ 4223.822634] Call Trace:<br /> [ 4223.822634] <br /> [ 4223.822635] dump_stack+0x6d/0x88<br /> [ 4223.822635] panic+0x101/0x2d0<br /> [ 4223.822635] ? ret_from_fork+0x11/0x30<br /> [ 4223.822635] nmi_panic.cold.14+0xc/0xc<br /> [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81<br /> [ 4223.822636] __perf_event_overflow+0x4f/0xf0<br /> [ 4223.822636] handle_pmi_common<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.0 (including) 5.10.214 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.153 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.83 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools