CVE-2024-53194 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-53194 at MITRE

Description

In the Linux kernel, the following vulnerability has been resolved:

PCI: Fix use-after-free of slot->bus on hot remove

Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock.

Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and
commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot
firmware"), USB4 v2 and v1 Host Routers are reset on probe of the
thunderbolt driver.

The reset clears the Presence Detect State and Data Link Layer Link Active
bits at the USB4 Host Router's Root Port and thus causes hot removal of the
dock.

The crash occurs when pciehp is unbound from one of the dock's Downstream
Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The
pci_slot contains a pointer to the pci_bus below the Downstream Port, but
a reference on that pci_bus is never acquired. The pci_bus is destroyed
before the pci_slot, so a use-after-free ensues when pci_slot_release()
accesses slot->bus.

In principle this should not happen because pci_stop_bus_device() unbinds
pciehp (and therefore destroys the pci_slot) before the pci_bus is
destroyed by pci_remove_bus_device().

However the stacktrace provided by Dennis shows that pciehp is unbound from
pci_remove_bus_device() instead of pci_stop_bus_device(). To understand
the significance of this, one needs to know that the PCI core uses a two
step process to remove a portion of the hierarchy: It first unbinds all
drivers in the sub-hierarchy in pci_stop_bus_device() and then actually
removes the devices in pci_remove_bus_device(). There is no precaution to
prevent driver binding in-between pci_stop_bus_device() and
pci_remove_bus_device().

In Dennis' case, it seems removal of the hierarchy by pciehp races with
driver binding by pci_bus_add_devices(). pciehp is bound to the
Downstream Port after pci_stop_bus_device() has run, so it is unbound by
pci_remove_bus_device() instead of pci_stop_bus_device(). Because the
pci_bus has already been destroyed at that point, accesses to it result in
a use-after-free.

One might conclude that driver binding needs to be prevented after
pci_stop_bus_device() has run. However it seems risky that pci_slot points
to pci_bus without holding a reference. Solely relying on correct ordering
of driver unbind versus pci_bus destruction is certainly not defensive
programming.

If pci_slot has a need to access data in pci_bus, it ought to acquire a
reference. Amend pci_create_slot() accordingly. Dennis reports that the
crash is not reproducible with this change.

Abridged stacktrace:

pcieport 0000:00:07.0: PME: Signaling with IRQ 156
pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+
pci_bus 0000:20: dev 00, created physical slot 12
pcieport 0000:00:07.0: pciehp: Slot(12): Card not present
...
pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0
Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI
CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1
RIP: 0010:dev_driver_string+0x12/0x40
pci_destroy_slot
pciehp_remove
pcie_port_remove_service
device_release_driver_internal
bus_remove_device
device_del
device_unregister
remove_iter
device_for_each_child
pcie_portdrv_remove
pci_device_remove
device_release_driver_internal
bus_remove_device
device_del
pci_remove_bus_device (recursive invocation)
pci_remove_bus_device
pciehp_unconfigure_device
pciehp_disable_slot
pciehp_handle_presence_or_link_change
pciehp_ist

SUSE information

Overall state of this security issue: Analysis

This issue is currently rated as having moderate severity.

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.

Product(s)	Source package	State
Products under general support and receiving all security fixes.
SUSE Linux Enterprise Desktop 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Desktop 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Desktop 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Desktop 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP6	kernel-source-azure	Analysis
SUSE Linux Enterprise Live Patching 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Live Patching 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Live Patching 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Live Patching 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.1	kernel-default	Analysis
SUSE Linux Enterprise Micro 5.1	kernel-rt	Analysis
SUSE Linux Enterprise Micro 5.1	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.1	kernel-source-rt	Analysis
SUSE Linux Enterprise Micro 5.2	kernel-default	Analysis
SUSE Linux Enterprise Micro 5.2	kernel-rt	Analysis
SUSE Linux Enterprise Micro 5.2	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.2	kernel-source-rt	Analysis
SUSE Linux Enterprise Micro 5.3	kernel-default	Analysis
SUSE Linux Enterprise Micro 5.3	kernel-rt	Analysis
SUSE Linux Enterprise Micro 5.3	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.3	kernel-source-rt	Analysis
SUSE Linux Enterprise Micro 5.4	kernel-default	Analysis
SUSE Linux Enterprise Micro 5.4	kernel-rt	Analysis
SUSE Linux Enterprise Micro 5.4	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.4	kernel-source-rt	Analysis
SUSE Linux Enterprise Micro 5.5	kernel-default	Analysis
SUSE Linux Enterprise Micro 5.5	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.5	kernel-source-rt	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise Module for Legacy 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Module for Legacy 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Module for Public Cloud 15 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise Module for Public Cloud 15 SP6	kernel-source-azure	Analysis
SUSE Linux Enterprise Real Time 15 SP5	kernel-source-rt	Unsupported
SUSE Linux Enterprise Real Time 15 SP6	kernel-source-rt	Analysis
SUSE Linux Enterprise Server 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise Server 15 SP5-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP5-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP6	kernel-source-azure	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP5	kernel-default	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP5	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP6	kernel-default	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP6	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP6	kernel-source-azure	Analysis
SUSE Linux Enterprise Workstation Extension 15 SP5	kernel-default	Unsupported
SUSE Linux Enterprise Workstation Extension 15 SP5	kernel-source	Unsupported
SUSE Linux Micro 6.0	kernel-default	Analysis
SUSE Linux Micro 6.0	kernel-source	Analysis
SUSE Linux Micro 6.0	kernel-source-rt	Analysis
SUSE Linux Micro 6.1	kernel-default	Analysis
SUSE Linux Micro 6.1	kernel-source	Analysis
SUSE Linux Micro 6.1	kernel-source-rt	Analysis
SUSE Manager Proxy 4.3	kernel-default	Analysis
SUSE Manager Proxy 4.3	kernel-source	Analysis
SUSE Manager Retail Branch Server 4.3	kernel-default	Analysis
SUSE Manager Retail Branch Server 4.3	kernel-source	Analysis
SUSE Manager Server 4.3	kernel-default	Analysis
SUSE Manager Server 4.3	kernel-source	Analysis
SUSE Real Time Module 15 SP5	kernel-source-rt	Unsupported
SUSE Real Time Module 15 SP6	kernel-source-rt	Analysis
openSUSE Leap 15.5	kernel-default	Unsupported
openSUSE Leap 15.5	kernel-source	Unsupported
openSUSE Leap 15.5	kernel-source-azure	Unsupported
openSUSE Leap 15.5	kernel-source-rt	Unsupported
openSUSE Leap 15.6	kernel-default	Analysis
openSUSE Leap 15.6	kernel-source	Analysis
openSUSE Leap 15.6	kernel-source-azure	Analysis
openSUSE Leap 15.6	kernel-source-rt	Analysis
Products under Long Term Service Pack support and receiving important and critical security fixes.
SUSE Linux Enterprise Desktop 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise High Availability Extension 12 SP5	kernel-default	Analysis
SUSE Linux Enterprise High Availability Extension 12 SP5	kernel-source	Analysis
SUSE Linux Enterprise High Availability Extension 15 SP2	kernel-default	Unsupported
SUSE Linux Enterprise High Availability Extension 15 SP2	kernel-source	Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS	kernel-default	Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS	kernel-source	Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS	kernel-default	Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS	kernel-source	Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS	kernel-default	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Live Patching 12 SP5	kernel-default	Analysis
SUSE Linux Enterprise Live Patching 12 SP5	kernel-source	Analysis
SUSE Linux Enterprise Live Patching 15 SP2	kernel-default	Unsupported
SUSE Linux Enterprise Live Patching 15 SP2	kernel-source	Unsupported
SUSE Linux Enterprise Live Patching 15 SP3	kernel-default	Analysis
SUSE Linux Enterprise Live Patching 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Live Patching 15 SP4	kernel-default	Analysis
SUSE Linux Enterprise Live Patching 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE	kernel-default	Analysis
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP5	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise Server 12 SP5-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 12 SP5-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP5-LTSS	kernel-source-azure	Analysis
SUSE Linux Enterprise Server 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP2-LTSS	kernel-default	Unsupported
SUSE Linux Enterprise Server 15 SP2-LTSS	kernel-source	Unsupported
SUSE Linux Enterprise Server 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP3-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP3-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP4-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP4-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5	kernel-source	Analysis
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5	kernel-source-azure	Analysis
SUSE Linux Enterprise Server for SAP Applications 12 SP5	kernel-default	Analysis
SUSE Linux Enterprise Server for SAP Applications 12 SP5	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP2	kernel-default	Unsupported
SUSE Linux Enterprise Server for SAP Applications 15 SP2	kernel-source	Unsupported
SUSE Linux Enterprise Server for SAP Applications 15 SP3	kernel-default	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP4	kernel-default	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP4	kernel-source	Analysis
Products past their end of life and not receiving proactive updates anymore.
HPE Helion OpenStack 8	kernel-source	Unsupported
SUSE CaaS Platform 4.0	kernel-source	Analysis
SUSE CaaS Platform Toolchain 3	kernel-source	Unsupported
SUSE Enterprise Storage 6	kernel-source	Analysis
SUSE Enterprise Storage 7	kernel-source	Analysis
SUSE Enterprise Storage 7.1	kernel-source	Analysis
SUSE Linux Enterprise Desktop 11 SP4	kernel-source	Analysis
SUSE Linux Enterprise Desktop 12 SP2	kernel-source	Analysis
SUSE Linux Enterprise Desktop 12 SP3	kernel-source	Unsupported
SUSE Linux Enterprise Desktop 12 SP4	kernel-source	Analysis
SUSE Linux Enterprise Desktop 15	kernel-source	Analysis
SUSE Linux Enterprise Desktop 15 SP1	kernel-source	Analysis
SUSE Linux Enterprise Desktop 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise Desktop 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP1	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise High Performance Computing 15-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Micro 5.0	kernel-default	Analysis
SUSE Linux Enterprise Module for Basesystem 15	kernel-source	Analysis
SUSE Linux Enterprise Module for Basesystem 15 SP1	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15	kernel-source	Analysis
SUSE Linux Enterprise Module for Development Tools 15 SP1	kernel-source	Analysis
SUSE Linux Enterprise Point of Sale 12 SP2-CLIENT	kernel-source	Analysis
SUSE Linux Enterprise Real Time 15 SP2	kernel-source	Analysis
SUSE Linux Enterprise Real Time 15 SP3	kernel-source	Analysis
SUSE Linux Enterprise Real Time 15 SP3	kernel-source-rt	Analysis
SUSE Linux Enterprise Real Time 15 SP4	kernel-source	Analysis
SUSE Linux Enterprise Real Time 15 SP4	kernel-source-rt	Analysis
SUSE Linux Enterprise Server 11 SP4	kernel-source	Analysis
SUSE Linux Enterprise Server 11 SP4 LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 11 SP4 LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 11 SP4-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP2	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP2-BCL	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP2-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP2-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 12 SP2-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP3	kernel-source	Unsupported
SUSE Linux Enterprise Server 12 SP3-BCL	kernel-source	Unsupported
SUSE Linux Enterprise Server 12 SP3-ESPOS	kernel-source	Unsupported
SUSE Linux Enterprise Server 12 SP3-LTSS	kernel-source	Unsupported
SUSE Linux Enterprise Server 12 SP4	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP4-ESPOS	kernel-source	Analysis
SUSE Linux Enterprise Server 12 SP4-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 12 SP4-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 15	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP1	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP1-BCL	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP1-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 15 SP1-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP2-BCL	kernel-source	Analysis
SUSE Linux Enterprise Server 15 SP3-BCL	kernel-source	Analysis
SUSE Linux Enterprise Server 15-LTSS	kernel-default	Analysis
SUSE Linux Enterprise Server 15-LTSS	kernel-source	Analysis
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 12 SP2	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 12 SP3	kernel-source	Unsupported
SUSE Linux Enterprise Server for SAP Applications 12 SP4	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15	kernel-source	Analysis
SUSE Linux Enterprise Server for SAP Applications 15 SP1	kernel-source	Analysis
SUSE Manager Proxy 4.0	kernel-source	Analysis
SUSE Manager Proxy 4.1	kernel-source	Analysis
SUSE Manager Proxy 4.2	kernel-source	Analysis
SUSE Manager Retail Branch Server 4.0	kernel-source	Analysis
SUSE Manager Retail Branch Server 4.1	kernel-source	Analysis
SUSE Manager Retail Branch Server 4.2	kernel-source	Analysis
SUSE Manager Server 4.0	kernel-source	Analysis
SUSE Manager Server 4.1	kernel-source	Analysis
SUSE Manager Server 4.2	kernel-source	Analysis
SUSE OpenStack Cloud 7	kernel-source	Analysis
SUSE OpenStack Cloud 8	kernel-source	Unsupported
SUSE OpenStack Cloud 9	kernel-source	Analysis
SUSE OpenStack Cloud Crowbar 8	kernel-source	Unsupported
SUSE OpenStack Cloud Crowbar 9	kernel-source	Analysis
SUSE Real Time Module 15 SP3	kernel-source-rt	Analysis
SUSE Real Time Module 15 SP4	kernel-source-rt	Analysis
openSUSE Leap 15.3	kernel-source	Analysis
openSUSE Leap 15.3	kernel-source-rt	Analysis
openSUSE Leap 15.4	kernel-source	Analysis
openSUSE Leap 15.4	kernel-source-azure	Analysis
openSUSE Leap 15.4	kernel-source-rt	Analysis

SUSE Timeline for this CVE

CVE page created: Fri Dec 27 16:00:39 2024
CVE page last modified: Tue Dec 31 14:00:19 2024