CVE-2024-58093
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/ASPM: Fix link state exit during switch upstream function removal
Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed.
That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after.
After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link.
That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports.
The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order.
On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed – before the parent link is obsolete, but after all subordinate links are gone.
[kwilczynski: commit log]
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 < cbf937dcadfd571a434f8074d057b32cd14fbea5 | affected |
| Linux | Linux | 666e7f9d60cee23077ea3e6331f6f8a19f7ea03f | affected |
| Linux | Linux | 7badf4d6f49a358a01ab072bbff88d3ee886c33b | affected |
| Linux | Linux | 9856c0de49052174ab474113f4ba40c02aaee086 | affected |
| Linux | Linux | 7aecdd47910c51707696e8b0e045b9f88bd4230f | affected |
| Linux | Linux | d51d2eeae4ce54d542909c4d9d07bf371a78592c | affected |
| Linux | Linux | 4203722d51afe3d239e03f15cc73efdf023a7103 | affected |
| Linux | Linux | 5.4.251 < 5.5 | affected |
| Linux | Linux | 5.10.188 < 5.11 | affected |
| Linux | Linux | 5.15.121 < 5.16 | affected |
| Linux | Linux | 6.1.39 < 6.2 | affected |
| Linux | Linux | 6.3.13 < 6.4 | affected |
| Linux | Linux | 6.4.4 < 6.5 | affected |
| Linux | Linux | 6.5 | affected |
| Linux | Linux | 0 < 6.5 | unaffected |
| Linux | Linux | 6.15 <= * | unaffected |
Weaknesses
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.