Show plain JSON{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26687", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.154Z", "datePublished": "2024-04-03T14:54:49.250Z", "dateUpdated": "2024-12-19T08:45:06.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:45:06.071Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/xen/events/events_base.c"], "versions": [{"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "9470f5b2503cae994098dea9682aee15b313fa44", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "ea592baf9e41779fe9a0424c03dd2f324feca3b3", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "585a344af6bcac222608a158fc2830ff02712af5", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "20980195ec8d2e41653800c45c8c367fa1b1f2b4", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "9be71aa12afa91dfe457b3fb4a444c42b1ee036b", "status": "affected", "versionType": "git"}, {"version": "d46a78b05c0e37f76ddf4a7a67bf0b6c68bada55", "lessThan": "fa765c4b4aed2d64266b694520ecb025c862c5a9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/xen/events/events_base.c"], "versions": [{"version": "2.6.37", "status": "affected"}, {"version": "0", "lessThan": "2.6.37", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.81", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.19", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.6", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44"}, {"url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd"}, {"url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3"}, {"url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5"}, {"url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4"}, {"url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b"}, {"url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9"}], "title": "xen/events: close evtchn after mapping cleanup", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.637Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:07.213399Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:32.707Z"}}]}, "dataVersion": "5.1"}