CVE-2024-42302

HIGH EPSS 13.5%
Published Aug 17, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 17, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
13.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
debiandebian_linux11.0any
linuxlinux_kernel*≥5.10.176  –  <5.10.224
linuxlinux_kernel*≥5.15.104  –  <5.15.165
linuxlinux_kernel*≥6.1.16  –  <6.1.103
linuxlinux_kernel*≥6.2.3  –  <6.6.44
linuxlinux_kernel*≥6.7  –  <6.10.3

References 9

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • git.kernel.org https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/11a1f4bc47362700fcbde717292158873fb847ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2c111413f38ca5cf87557cab89f6d82b0e3433e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2cc8973bdc4d6c928ebe38b88090a2cdfe81f42f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b16f3ea1db47a6766a9f1169244cf1fc287a7c62
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c52f9e1a9eb40f13993142c331a6cfd334d4b91d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f63df70b439bb8331358a306541893bf415bf1da
    Patch