CVE-2024-53224

一、漏洞信息
 漏洞编号：[CVE-2024-53224](https://nvd.nist.gov/vuln/detail/CVE-2024-53224)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：5.5 Medium
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:RDMA/mlx5: Move events notifier registration to be after device registrationMove pkey change work initialization and cleanup from device resourcesstage to notifier stage, since this is the stage which handles this workevents.Fix a race between the device deregistration and pkey change work by movingMLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order toensure that the notifier is deregistered before the device during cleanup.Which ensures there are no works that are being executed after thedevice has already unregistered which can cause the panic below.BUG: kernel NULL pointer dereference, address: 0000000000000000PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMP PTICPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023Workqueue: events pkey_change_handler [mlx5_ib]RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace:mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]process_one_work+0x1e8/0x3c0worker_thread+0x50/0x3b0? rescuer_thread+0x380/0x380kthread+0x149/0x170? set_kthread_struct+0x50/0x50ret_from_fork+0x22/0x30Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]CR2: 0000000000000000---[ end trace f6f8be4eae12f7bc ]---
 漏洞公开时间：2024-12-27 22:15:30
 漏洞创建时间：2025-04-03 15:49:06
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-53224
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/542bd62b7a7f37182c9ef192c2bd25d118c144e4 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6b0acf6a94c31efa43fce4edc22413a3390f9c05 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-53224 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-53224 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://git.kernel.org/stable/c/542bd62b7a7f37182c9ef192c2bd25d118c144e4 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://git.kernel.org/stable/c/6b0acf6a94c31efa43fce4edc22413a3390f9c05 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://git.kernel.org/stable/c/921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://git.kernel.org/stable/c/ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-53224.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2334399 | https://bugzilla.suse.com/show_bug.cgi?id=1235009 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024122734-CVE-2024-53224-2509@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2334399 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-53224 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-53224 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/542bd62b7a7f37182c9ef192c2bd25d118c144e4 |  | nvd |
|  |  | https://git.kernel.org/stable/c/6b0acf6a94c31efa43fce4edc22413a3390f9c05 |  | nvd |
|  |  | https://git.kernel.org/stable/c/921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad |  | nvd |
|  |  | https://git.kernel.org/stable/c/ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 |  | nvd |
| linux_kernel | 6.6.64 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=921fcf2971a1e8d3b904ba2c2905b96f4ec3d4adIssue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7722f47e71e58592a2ba4437d27c802ba1c64e08 | linuxkernelcves |
| linux_kernel | 6.11.11 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=542bd62b7a7f37182c9ef192c2bd25d118c144e4Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7722f47e71e58592a2ba4437d27c802ba1c64e08 | linuxkernelcves |
| linux_kernel | 6.12.2 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b0acf6a94c31efa43fce4edc22413a3390f9c05Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7722f47e71e58592a2ba4437d27c802ba1c64e08 | linuxkernelcves |
| linux_kernel | 6.13-rc1 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ede132a5cf559f3ab35a4c28bac4f4a6c20334d8Please | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7722f47e71e58592a2ba4437d27c802ba1c64e08 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:RDMA/mlx5: Move events notifier registration to be after device registrationMove pkey change work initialization and cleanup from device resourcesstage to notifier stage, since this is the stage which handles this workevents.Fix a race between the device deregistration and pkey change work by movingMLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order toensure that the notifier is deregistered before the device during cleanup.Which ensures there are no works that are being executed after thedevice has already unregistered which can cause the panic below.BUG: kernel NULL pointer dereference, address: 0000000000000000PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMP PTICPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023Workqueue: events pkey_change_handler [mlx5_ib]RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 &lt;4c&gt; 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace:mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]process_one_work+0x1e8/0x3c0worker_thread+0x50/0x3b0? rescuer_thread+0x380/0x380kthread+0x149/0x170? set_kthread_struct+0x50/0x50ret_from_fork+0x22/0x30Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]CR2: 0000000000000000---[ end trace f6f8be4eae12f7bc ]---The Linux kernel CVE team has assigned CVE-2024-53224 to this issue.
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响
8.openEuler-24.03-LTS-SP2(6.6.0):

修复是否涉及abi变化(是/否)：
  1.master(6.6.0):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.openEuler-22.03-LTS-SP4(5.10.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):

原因说明：
  1.openEuler-22.03-LTS-SP3(5.10.0):正常修复
2.openEuler-22.03-LTS-SP4(5.10.0):正常修复
3.openEuler-24.03-LTS(6.6.0):正常修复
4.openEuler-24.03-LTS-SP1(6.6.0):正常修复
5.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
6.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
7.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-SP2(6.6.0):

src-openEuler/kernel

Content Risk Flag

Comments (5)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-53224

Comments (5)

Search

src-openEuler/kernel