fkie_cve-2024-53214
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2024-12-27 14:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1ef195178fb552478eb2587df4ad3be14ef76507
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc17119699
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fe4bf8d0b6716a423b16495d55b35d3fe515905d
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended capability\n\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\n\nHiding a capability is done by virtualizing and modifying the \u0027Next\nCapability Offset\u0027 field of the previous capability so it points to the\ncapability after the one that should be hidden.\n\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\n\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device-\u003epci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\n\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\n\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n\n[1]\n\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n \u003cTASK\u003e\n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x140\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? report_bug+0x18f/0x1a0\n ? handle_bug+0x63/0xa0\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\n vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\n vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\n vfio_device_fops_read+0x27/0x40 [vfio]\n vfs_read+0xbd/0x340\n ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n ? __rseq_handle_notify_resume+0xa4/0x4b0\n __x64_sys_pread64+0x96/0xc0\n x64_sys_call+0x1c3d/0x20d0\n do_syscall_64+0x4d/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/pci: Ocultar correctamente la primera capacidad extendida PCIe de la lista Hay casos en los que una capacidad extendida PCIe deber\u00eda estar oculta al usuario. Por ejemplo, una capacidad desconocida (es decir, una capacidad con un ID mayor que PCI_EXT_CAP_ID_MAX) o una capacidad que se elige intencionalmente para que est\u00e9 oculta al usuario. Para ocultar una capacidad, se virtualiza y modifica el campo \"Next Capability Offset\" de la capacidad anterior para que apunte a la capacidad despu\u00e9s de la que deber\u00eda estar oculta. El caso especial en el que la primera capacidad de la lista deber\u00eda estar oculta se gestiona de forma diferente porque no hay ninguna capacidad anterior que pueda modificarse. En este caso, el ID y la versi\u00f3n de la capacidad se ponen a cero mientras que el siguiente puntero queda intacto. Esto oculta la capacidad y deja un ancla para el resto de la lista de capacidades. Sin embargo, hoy en d\u00eda, ocultar la primera capacidad en la lista no se hace correctamente si la capacidad es desconocida, ya que struct vfio_pci_core_device-\u0026gt;pci_config_map se establece en el ID de capacidad durante la inicializaci\u00f3n, pero el ID de capacidad no se verifica correctamente m\u00e1s tarde cuando se usa en vfio_config_do_rw(). Esto lleva a la siguiente advertencia [1] y a un acceso fuera de los l\u00edmites a la matriz ecap_perms. Arr\u00e9glelo verificando cap_id en vfio_config_do_rw(), y si es mayor que PCI_EXT_CAP_ID_MAX, use un struct perm_bits alternativo para acceso directo de solo lectura en lugar de la matriz ecap_perms. Tenga en cuenta que esto es seguro ya que el anterior es el \u00fanico caso en el que cap_id puede superar a PCI_EXT_CAP_ID_MAX (excepto para las capacidades especiales, que ya se verificaron antes). [1] ADVERTENCIA: CPU: 118 PID: 5329 en drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste No contaminado 6.12.0+ #1 (fragmento) Seguimiento de llamadas:  ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? vfio_pci_config_rw+0x395/0x430 [n\u00facleo vfio_pci] vfio_pci_rw+0x244/0x430 [n\u00facleo vfio_pci] vfio_pci_rw+0x101/0x1b0 [n\u00facleo vfio_pci] vfio_pci_core_read+0x1d/0x30 [n\u00facleo vfio_pci] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e"
    }
  ],
  "id": "CVE-2024-53214",
  "lastModified": "2024-12-27T14:15:29.337",
  "metrics": {},
  "published": "2024-12-27T14:15:29.337",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1ef195178fb552478eb2587df4ad3be14ef76507"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc17119699"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fe4bf8d0b6716a423b16495d55b35d3fe515905d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.