CVE-2024-55916

一、漏洞信息
 漏洞编号：[CVE-2024-55916](https://nvd.nist.gov/vuln/detail/CVE-2024-55916)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：5.5 Medium
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:Drivers: hv: util: Avoid accessing a ringbuffer not initialized yetIf the KVP (or VSS) daemon starts before the VMBus channel s ringbuffer isfully initialized, we can hit the panic below:hv_utils: Registering HyperV Utility Driverhv_vmbus: registering driver hv_utils...BUG: kernel NULL pointer dereference, address: 0000000000000000CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1RIP: 0010:hv_pkt_iter_first+0x12/0xd0Call Trace:... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_readThis can happen because the KVP/VSS channel callback can be invokedeven before the channel is fully opened:1) as soon as hv_kvp_init() -> hvutil_transport_init() creates/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately andregister itself to the driver by writing a message KVP_OP_REGISTER1 to thefile (which is handled by kvp_on_msg() ->kvp_handle_handshake()) andreading the file for the driver s response, which is handled byhvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().2) the problem with kvp_register_done() is that it can cause thechannel callback to be called even before the channel is fully opened,and when the channel callback is starting to run, util_probe()->vmbus_open() may have not initialized the ringbuffer yet, so thecallback can hit the panic of NULL pointer dereference.To reproduce the panic consistently, we can add a  ssleep(10)  for KVP in__vmbus_open(), just before the first hv_ringbuffer_init(), and then weunload and reload the driver hv_utils, and run the daemon manually withinthe 10 seconds.Fix the panic by reordering the steps in util_probe() so the char deventry used by the KVP or VSS daemon is not created until aftervmbus_open() has completed. This reordering prevents the race conditionfrom happening.
 漏洞公开时间：2025-01-11 21:15:28
 漏洞创建时间：2025-01-22 17:05:33
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-55916
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-55916 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-55916 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-55916.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2337106 | https://bugzilla.suse.com/show_bug.cgi?id=1235747 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025011146-CVE-2024-55916-3a1f@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2337106 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-55916 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-55916 |
| mageia |  | http://advisories.mageia.org/MGASA-2025-0030.html |
| osv | https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 | https://osv.dev/vulnerability/CVE-2024-55916 |
| osv | https://security-tracker.debian.org/tracker/CVE-2024-55916 | https://osv.dev/vulnerability/CVE-2024-55916 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 |  | nvd |
|  |  | https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26 |  | nvd |
|  |  | https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 |  | nvd |
|  |  | https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 |  | nvd |
|  |  | https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f |  | nvd |
|  |  | https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 |  | nvd |
|  |  | https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 |  | nvd |
| linux_kernel | 5.4.289 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f091a224a2c82f1e302b1768d73bb6332f687321 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 5.10.233 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d81f4e73aff9b861671df60e5100ad25cc16fbf8 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 5.15.176 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=042253c57be901bfd19f15b68267442b70f510d5 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 6.1.122 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=718fe694a334be9d1a89eed22602369ac18d6583 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 6.6.68 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=89fcec5e466b3ac9b376e0d621c71effa1a7983f | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 6.12.7 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |
| linux_kernel | 6.13-rc4 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=07a756a49f4b4290b49ea46e089cbe6f79ff8d26 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:Drivers: hv: util: Avoid accessing a ringbuffer not initialized yetIf the KVP (or VSS) daemon starts before the VMBus channel s ringbuffer isfully initialized, we can hit the panic below:hv_utils: Registering HyperV Utility Driverhv_vmbus: registering driver hv_utils...BUG: kernel NULL pointer dereference, address: 0000000000000000CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1RIP: 0010:hv_pkt_iter_first+0x12/0xd0Call Trace:... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_readThis can happen because the KVP/VSS channel callback can be invokedeven before the channel is fully opened:1) as soon as hv_kvp_init() -> hvutil_transport_init() creates/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately andregister itself to the driver by writing a message KVP_OP_REGISTER1 to thefile (which is handled by kvp_on_msg() ->kvp_handle_handshake()) andreading the file for the driver s response, which is handled byhvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().2) the problem with kvp_register_done() is that it can cause thechannel callback to be called even before the channel is fully opened,and when the channel callback is starting to run, util_probe()->vmbus_open() may have not initialized the ringbuffer yet, so thecallback can hit the panic of NULL pointer dereference.To reproduce the panic consistently, we can add a  ssleep(10)  for KVP in__vmbus_open(), just before the first hv_ringbuffer_init(), and then weunload and reload the driver hv_utils, and run the daemon manually withinthe 10 seconds.Fix the panic by reordering the steps in util_probe() so the char deventry used by the KVP or VSS daemon is not created until aftervmbus_open() has completed. This reordering prevents the race conditionfrom happening.
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP3(5.10.0):否
3.master(6.6.0):否
4.openEuler-24.03-LTS(6.6.0):否
5.openEuler-24.03-LTS-Next(6.6.0):否
6.openEuler-22.03-LTS-SP4(5.10.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):正常修复
2.openEuler-24.03-LTS-SP1(6.6.0):正常修复
3.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
4.openEuler-22.03-LTS-SP3(5.10.0):不修复-超出修复范围
5.openEuler-22.03-LTS-SP4(5.10.0):不修复-超出修复范围
6.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
7.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1249

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否), 原因说明)不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):

修复是否涉及abi变化(是/否)：
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):

原因说明：
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):

issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-55916	None	None	https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26
https://ubuntu.com/security/CVE-2024-55916	None	None	https://git.kernel.org/linus/07a756a49f4b4290b49ea46e089cbe6f79ff8d26 https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321 https://discourse.ubuntu.com/c/project https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6 https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5 https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8 https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583 https://git.kernel.org/linus/e0fa3e5e7df61eb2c339c9f0067c202c0cdeec2c https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26
https://www.opencve.io/cve/CVE-2024-55916
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-55916
https://security-tracker.debian.org/tracker/CVE-2024-55916	None	None	https://git.kernel.org/linus/07a756a49f4b4290b49ea46e089cbe6f79ff8d26

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-55916

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet

If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is
fully initialized, we can hit the panic below:

hv_utils: Registering HyperV Utility Driver
hv_vmbus: registering driver hv_utils
...
BUG: kernel NULL pointer dereference, address: 0000000000000000
CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1
RIP: 0010:hv_pkt_iter_first+0x12/0xd0
Call Trace:
...
 vmbus_recvpacket
 hv_kvp_onchannelcallback
 vmbus_on_event
 tasklet_action_common
 tasklet_action
 handle_softirqs
 irq_exit_rcu
 sysvec_hyperv_stimer0
 </IRQ>
 <TASK>
 asm_sysvec_hyperv_stimer0
...
 kvp_register_done
 hvt_op_read
 vfs_read
 ksys_read
 __x64_sys_read

This can happen because the KVP/VSS channel callback can be invoked
even before the channel is fully opened:
1) as soon as hv_kvp_init() -> hvutil_transport_init() creates
/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and
register itself to the driver by writing a message KVP_OP_REGISTER1 to the
file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and
reading the file for the driver's response, which is handled by
hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().

2) the problem with kvp_register_done() is that it can cause the
channel callback to be called even before the channel is fully opened,
and when the channel callback is starting to run, util_probe()->
vmbus_open() may have not initialized the ringbuffer yet, so the
callback can hit the panic of NULL pointer dereference.

To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in
__vmbus_open(), just before the first hv_ringbuffer_init(), and then we
unload and reload the driver hv_utils, and run the daemon manually within
the 10 seconds.

Fix the panic by reordering the steps in util_probe() so the char dev
entry used by the KVP or VSS daemon is not created until after
vmbus_open() has completed. This reordering prevents the race condition
from happening.

openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响):
1.master(6.1.0):不受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS-SP3:受影响
4.openEuler-22.03-LTS-SP4:受影响
5.openEuler-24.03-LTS:受影响
6.openEuler-24.03-LTS-Next:不受影响
7.openEuler-24.03-LTS-SP1:受影响

修复是否涉及abi变化(是/否)：
1.master(6.1.0):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS-SP3:否
4.openEuler-22.03-LTS-SP4:否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-24.03-LTS-SP1:否

原因说明：
1.master(23.08.5):不受影响-漏洞代码不能被攻击者触发
2.openEuler-20.03-LTS-SP4:不修复-超出修复范围
4.openEuler-22.03-LTS-SP3:不修复-超出修复范围
5.openEuler-22.03-LTS-SP4:不修复-超出修复范围
6.openEuler-24.03-LTS:正常修复
7.openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-SP1:正常修复

@sanglipeng 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 分析项目 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|In the Linux kernel, the following vulnerability has been resolved:Drivers: hv: util: Avoid accessing a ringbuffer not initialized yetIf the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer isfully initialized, we can hit the panic below:hv_utils: Registering HyperV Utility Driverhv_vmbus: registering driver hv_utils...BUG: kernel NULL pointer dereference, address: 0000000000000000CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1RIP: 0010:hv_pkt_iter_first+0x12/0xd0Call Trace:... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_readThis can happen because the KVP/VSS channel callback can be invokedeven before the channel is fully opened:1) as soon as hv_kvp_init() -> hvutil_transport_init() creates/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately andregister itself to the driver by writing a message KVP_OP_REGISTER1 to thefile (which is handled by kvp_on_msg() ->kvp_handle_handshake()) andreading the file for the driver's response, which is handled byhvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().2) the problem with kvp_register_done() is that it can cause thechannel callback to be called even before the channel is fully opened,and when the channel callback is starting to run, util_probe()->vmbus_open() may have not initialized the ringbuffer yet, so thecallback can hit the panic of NULL pointer dereference.To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in__vmbus_open(), just before the first hv_ringbuffer_init(), and then weunload and reload the driver hv_utils, and run the daemon manually withinthe 10 seconds.Fix the panic by reordering the steps in util_probe() so the char deventry used by the KVP or VSS daemon is not created until aftervmbus_open() has completed. This reordering prevents the race conditionfrom happening.|
|已分析|2.openEulerScore|5.5|
|已分析|3.openEulerVector|AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H|
|已分析|4.受影响版本排查|openEuler-20.03-LTS-SP4:受影响,openEuler-22.03-LTS-SP3:受影响,openEuler-22.03-LTS-SP4:受影响,openEuler-24.03-LTS:受影响,openEuler-24.03-LTS-SP1:受影响,master:不受影响,openEuler-24.03-LTS-Next:不受影响|
|已分析|5.是否涉及abi变化|master:否,openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP3:否,openEuler-22.03-LTS-SP4:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-24.03-LTS-SP1:否|
|已分析|6.原因说明|openEuler-24.03-LTS:正常修复,openEuler-24.03-LTS-SP1:正常修复,openEuler-20.03-LTS-SP4:不修复-超出修复范围,openEuler-22.03-LTS-SP3:不修复-超出修复范围,openEuler-22.03-LTS-SP4:不修复-超出修复范围,master:不受影响-漏洞代码不能被攻击者触发,openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发|

**请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.**