Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-41054

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
29/07/2024
Last modified:
22/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix ufshcd_clear_cmd racing issue<br /> <br /> When ufshcd_clear_cmd is racing with the completion ISR, the completed tag<br /> of the request&amp;#39;s mq_hctx pointer will be set to NULL by the ISR. And<br /> ufshcd_clear_cmd&amp;#39;s call to ufshcd_mcq_req_to_hwq will get NULL pointer KE.<br /> Return success when the request is completed by ISR because sq does not<br /> need cleanup.<br /> <br /> The racing flow is:<br /> <br /> Thread A<br /> ufshcd_err_handler step 1<br /> ufshcd_try_to_abort_task<br /> ufshcd_cmd_inflight(true) step 3<br /> ufshcd_clear_cmd<br /> ...<br /> ufshcd_mcq_req_to_hwq<br /> blk_mq_unique_tag<br /> rq-&gt;mq_hctx-&gt;queue_num step 5<br /> <br /> Thread B<br /> ufs_mtk_mcq_intr(cq complete ISR) step 2<br /> scsi_done<br /> ...<br /> __blk_mq_free_request<br /> rq-&gt;mq_hctx = NULL; step 4<br /> <br /> Below is KE back trace:<br /> <br /> ufshcd_try_to_abort_task: cmd pending in the device. tag = 6<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194<br /> pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14<br /> lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise]<br /> Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise]<br /> Call trace:<br /> dump_backtrace+0xf8/0x148<br /> show_stack+0x18/0x24<br /> dump_stack_lvl+0x60/0x7c<br /> dump_stack+0x18/0x3c<br /> mrdump_common_die+0x24c/0x398 [mrdump]<br /> ipanic_die+0x20/0x34 [mrdump]<br /> notify_die+0x80/0xd8<br /> die+0x94/0x2b8<br /> __do_kernel_fault+0x264/0x298<br /> do_page_fault+0xa4/0x4b8<br /> do_translation_fault+0x38/0x54<br /> do_mem_abort+0x58/0x118<br /> el1_abort+0x3c/0x5c<br /> el1h_64_sync_handler+0x54/0x90<br /> el1h_64_sync+0x68/0x6c<br /> blk_mq_unique_tag+0x8/0x14<br /> ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise]<br /> ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise]<br /> ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise]<br /> process_one_work+0x208/0x4fc<br /> worker_thread+0x228/0x438<br /> kthread+0x104/0x1d4<br /> ret_from_fork+0x10/0x20

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.5 (including) 6.6.41 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.10 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools