CVE-2024-53194

一、漏洞信息
 漏洞编号：[CVE-2024-53194](https://nvd.nist.gov/vuln/detail/CVE-2024-53194)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：0.0 None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:PCI: Fix use-after-free of slot->bus on hot removeDennis reports a boot crash on recent Lenovo laptops with a USB4 dock.Since commit 0fc70886569c ( thunderbolt: Reset USB4 v2 host router ) andcommit 59a54c5f3dbd ( thunderbolt: Reset topology created by the bootfirmware ), USB4 v2 and v1 Host Routers are reset on probe of thethunderbolt driver.The reset clears the Presence Detect State and Data Link Layer Link Activebits at the USB4 Host Router s Root Port and thus causes hot removal of thedock.The crash occurs when pciehp is unbound from one of the dock s DownstreamPorts:  pciehp creates a pci_slot on bind and destroys it on unbind.  Thepci_slot contains a pointer to the pci_bus below the Downstream Port, buta reference on that pci_bus is never acquired.  The pci_bus is destroyedbefore the pci_slot, so a use-after-free ensues when pci_slot_release()accesses slot->bus.In principle this should not happen because pci_stop_bus_device() unbindspciehp (and therefore destroys the pci_slot) before the pci_bus isdestroyed by pci_remove_bus_device().However the stacktrace provided by Dennis shows that pciehp is unbound frompci_remove_bus_device() instead of pci_stop_bus_device().  To understandthe significance of this, one needs to know that the PCI core uses a twostep process to remove a portion of the hierarchy:  It first unbinds alldrivers in the sub-hierarchy in pci_stop_bus_device() and then actuallyremoves the devices in pci_remove_bus_device().  There is no precaution toprevent driver binding in-between pci_stop_bus_device() andpci_remove_bus_device().In Dennis  case, it seems removal of the hierarchy by pciehp races withdriver binding by pci_bus_add_devices().  pciehp is bound to theDownstream Port after pci_stop_bus_device() has run, so it is unbound bypci_remove_bus_device() instead of pci_stop_bus_device().  Because thepci_bus has already been destroyed at that point, accesses to it result ina use-after-free.One might conclude that driver binding needs to be prevented afterpci_stop_bus_device() has run.  However it seems risky that pci_slot pointsto pci_bus without holding a reference.  Solely relying on correct orderingof driver unbind versus pci_bus destruction is certainly not defensiveprogramming.If pci_slot has a need to access data in pci_bus, it ought to acquire areference.  Amend pci_create_slot() accordingly.  Dennis reports that thecrash is not reproducible with this change.Abridged stacktrace:  pcieport 0000:00:07.0: PME: Signaling with IRQ 156  pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+  pci_bus 0000:20: dev 00, created physical slot 12  pcieport 0000:00:07.0: pciehp: Slot(12): Card not present  ...  pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0  Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI  CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1  RIP: 0010:dev_driver_string+0x12/0x40  pci_destroy_slot  pciehp_remove  pcie_port_remove_service  device_release_driver_internal  bus_remove_device  device_del  device_unregister  remove_iter  device_for_each_child  pcie_portdrv_remove  pci_device_remove  device_release_driver_internal  bus_remove_device  device_del  pci_remove_bus_device (recursive invocation)  pci_remove_bus_device  pciehp_unconfigure_device  pciehp_disable_slot  pciehp_handle_presence_or_link_change  pciehp_ist
 漏洞公开时间：2024-12-27 22:15:27
 漏洞创建时间：2024-12-27 22:47:08
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-53194
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/20502f0b3f3acd6bee300257556c27a867f80c8b |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/41bbb1eb996be1435815aa1fbcc9ffc45b84cc12 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/50473dd3b2a08601a078f852ea05572de9b1f86c |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/69d2ceac11acf8579d58d55c9c5b65fb658f916e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c7acef99642b763ba585f4a43af999fcdbcc3dc4 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c8266ab8e7ccd1d1f5a9c8b29eb2020175048134 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d0ddd2c92b75a19a37c887154223372b600fed37 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/da6e6ff1f6c57f16e07af955e0e997fc90dd1e75 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/e5d5c04aac71bf1476dc44b56f2206a4c2facca8 |  |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024122724-CVE-2024-53194-9edf@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2334367 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-53194 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:PCI: Fix use-after-free of slot-&gt;bus on hot removeDennis reports a boot crash on recent Lenovo laptops with a USB4 dock.Since commit 0fc70886569c (&#34;thunderbolt: Reset USB4 v2 host router&#34;) andcommit 59a54c5f3dbd (&#34;thunderbolt: Reset topology created by the bootfirmware&#34;), USB4 v2 and v1 Host Routers are reset on probe of thethunderbolt driver.The reset clears the Presence Detect State and Data Link Layer Link Activebits at the USB4 Host Router&#39;s Root Port and thus causes hot removal of thedock.The crash occurs when pciehp is unbound from one of the dock&#39;s DownstreamPorts:  pciehp creates a pci_slot on bind and destroys it on unbind.  Thepci_slot contains a pointer to the pci_bus below the Downstream Port, buta reference on that pci_bus is never acquired.  The pci_bus is destroyedbefore the pci_slot, so a use-after-free ensues when pci_slot_release()accesses slot-&gt;bus.In principle this should not happen because pci_stop_bus_device() unbindspciehp (and therefore destroys the pci_slot) before the pci_bus isdestroyed by pci_remove_bus_device().However the stacktrace provided by Dennis shows that pciehp is unbound frompci_remove_bus_device() instead of pci_stop_bus_device().  To understandthe significance of this, one needs to know that the PCI core uses a twostep process to remove a portion of the hierarchy:  It first unbinds alldrivers in the sub-hierarchy in pci_stop_bus_device() and then actuallyremoves the devices in pci_remove_bus_device().  There is no precaution toprevent driver binding in-between pci_stop_bus_device() andpci_remove_bus_device().In Dennis&#39; case, it seems removal of the hierarchy by pciehp races withdriver binding by pci_bus_add_devices().  pciehp is bound to theDownstream Port after pci_stop_bus_device() has run, so it is unbound bypci_remove_bus_device() instead of pci_stop_bus_device().  Because thepci_bus has already been destroyed at that point, accesses to it result ina use-after-free.One might conclude that driver binding needs to be prevented afterpci_stop_bus_device() has run.  However it seems risky that pci_slot pointsto pci_bus without holding a reference.  Solely relying on correct orderingof driver unbind versus pci_bus destruction is certainly not defensiveprogramming.If pci_slot has a need to access data in pci_bus, it ought to acquire areference.  Amend pci_create_slot() accordingly.  Dennis reports that thecrash is not reproducible with this change.Abridged stacktrace:  pcieport 0000:00:07.0: PME: Signaling with IRQ 156  pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+  pci_bus 0000:20: dev 00, created physical slot 12  pcieport 0000:00:07.0: pciehp: Slot(12): Card not present  ...  pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0  Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI  CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1  RIP: 0010:dev_driver_string+0x12/0x40  pci_destroy_slot  pciehp_remove  pcie_port_remove_service  device_release_driver_internal  bus_remove_device  device_del  device_unregister  remove_iter  device_for_each_child  pcie_portdrv_remove  pci_device_remove  device_release_driver_internal  bus_remove_device  device_del  pci_remove_bus_device (recursive invocation)  pci_remove_bus_device  pciehp_unconfigure_device  pciehp_disable_slot  pciehp_handle_presence_or_link_change  pciehp_istThe Linux kernel CVE team has assigned CVE-2024-53194 to this issue.
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP1(5.10.0):受影响
3.openEuler-22.03-LTS-SP3(5.10.0):受影响
4.openEuler-22.03-LTS-SP4(5.10.0):受影响
5.openEuler-24.03-LTS(6.6.0):受影响
6.openEuler-24.03-LTS-SP1(6.6.0):受影响
7.master:不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master:否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
8.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-20.03-LTS-SP4(4.19.90):正常修复
2.openEuler-22.03-LTS-SP1(5.10.0):正常修复
3.openEuler-22.03-LTS-SP3(5.10.0):正常修复
4.openEuler-22.03-LTS-SP4(5.10.0):正常修复
5.openEuler-24.03-LTS(6.6.0):正常修复
6.openEuler-24.03-LTS-SP1(6.6.0):正常修复
7.master:不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1079

src-openEuler/kernel
Closed

Content Risk Flag

Comments (10)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-53194

Comments (10)

Search

src-openEuler/kernel
Closed