CVE-2024-40906

一、漏洞信息
 漏洞编号：[CVE-2024-40906](https://nvd.nist.gov/vuln/detail/CVE-2024-40906)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 Medium
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Always stop health timer during driver removalCurrently, if teardown_hca fails to execute during driver removal, mlx5does not stop the health timer. Afterwards, mlx5 continue with driverteardown. This may lead to a UAF bug, which results in page faultOops[1], since the health timer invokes after resources were freed.Hence, stop the health monitor even if teardown_hca fails.[1]mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: cleanupmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resourcemlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanupBUG: unable to handle page fault for address: ffffa26487064230PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0Oops: 0000 [#1] PREEMPT SMP PTICPU: 0 PID: 0 Comm: swapper/0 Tainted: G           OE     -------  ---  6.7.0-68.fc38.x86_64 #1Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020RIP: 0010:ioread32be+0x34/0x60RSP: 0018:ffffa26480003e58 EFLAGS: 00010292RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0FS:  0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400PKRU: 55555554Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b---[ end trace 0000000000000000 ]---
 漏洞公开时间：2024-07-12 21:15:13
 漏洞创建时间：2024-07-15 13:33:52
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-40906
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40906 | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-40906 | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://git.kernel.org/stable/c/6ccada6ffb42e0ac75e3db06d41baf5a7f483f8a | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://git.kernel.org/stable/c/c8b3f38d2dae0397944814d691a419c451f9906f | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://git.kernel.org/stable/c/e6777ae0bf6fd5bc626bb051c8c93e3c8198a3f8 | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://git.kernel.org/stable/c/e7d4485d47839f4d1284592ae242c4e65b2810a9 | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-40906.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1227763 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-40906 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  其它
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
        In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Always stop health timer during driver removalCurrently, if teardown_hca fails to execute during driver removal, mlx5does not stop the health timer. Afterwards, mlx5 continue with driverteardown. This may lead to a UAF bug, which results in page faultOops[1], since the health timer invokes after resources were freed.Hence, stop the health monitor even if teardown_hca fails.[1]mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)mlx5_core 0000:18:00.0: E-Switch: cleanupmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resourcemlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanupBUG: unable to handle page fault for address: ffffa26487064230PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0Oops: 0000 [#1] PREEMPT SMP PTICPU: 0 PID: 0 Comm: swapper/0 Tainted: G           OE     -------  ---  6.7.0-68.fc38.x86_64 #1Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020RIP: 0010:ioread32be+0x34/0x60RSP: 0018:ffffa26480003e58 EFLAGS: 00010292RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0FS:  0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400PKRU: 55555554Call Trace: &lt;IRQ&gt; ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 &lt;/IRQ&gt; &lt;TASK&gt; asm_sysvec_apic_timer_interrupt+0x1a/0x20RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b---[ end trace 0000000000000000 ]---The Linux kernel CVE team has assigned CVE-2024-40906 to this issue.   
 openEuler评分：
  4.4
 Vector：CVSS：2.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP1(5.10.0):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.1.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.1.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1960

src-openEuler/kernel

内容风险标识

评论 (10)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-40906

评论 (10)

搜索帮助

src-openEuler/kernel