CVE-2024-36928 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

s390/qeth: Fix kernel panic after setting hsuid

Symptom: When the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already UP, the kernel will try to execute a napi function pointer that is NULL.

Example: --------------------------------------------------------------------------- [ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP
[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod qdio ccwgroup pkey zcrypt [ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1
[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)
[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)
[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3
[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000
[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80
[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8
[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68
[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal
>0000000000000002: 0000 illegal 0000000000000004: 0000 illegal 0000000000000006: 0000 illegal 0000000000000008: 0000 illegal 000000000000000a: 0000 illegal 000000000000000c: 0000 illegal 000000000000000e: 0000 illegal [ 2057.572800] Call Trace:
[ 2057.572801] ([] 0xec639700)
[ 2057.572803] [] net_rx_action+0x2ba/0x398
[ 2057.572809] [] __do_softirq+0x11e/0x3a0
[ 2057.572813] [] do_softirq_own_stack+0x3c/0x58
[ 2057.572817] ([] do_softirq.part.1+0x56/0x60)
[ 2057.572822] [] __local_bh_enable_ip+0x80/0x98
[ 2057.572825] [] __dev_queue_xmit+0x2be/0xd70
[ 2057.572827] [] afiucv_hs_send+0x24e/0x300 [af_iucv]
[ 2057.572830] [] iucv_send_ctrl+0x102/0x138 [af_iucv]
[ 2057.572833] [] iucv_sock_connect+0x37a/0x468 [af_iucv]
[ 2057.572835] [] __sys_connect+0xa0/0xd8
[ 2057.572839] [] sys_socketcall+0x228/0x348
[ 2057.572841] [] system_call+0x2a6/0x2c8
[ 2057.572843] Last Breaking-Event-Address:
[ 2057.572844] [] __napi_poll+0x4c/0x1d8
[ 2057.572846]
[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt
-------------------------------------------------------------------------------------------

Analysis: There is one napi structure per out_q: card->qdio.out_qs[i].napi
The napi.poll functions are set during qeth_open().

Since commit 1cfef80d4c2b ("s390/qeth: Don't call dev_close/dev_open (DOWN/UP)") qeth_set_offline()/qeth_set_online() no longer call dev_close()/ dev_open(). So if qeth_free_qdio_queues() cleared card->qdio.out_qs[i].napi.poll while the network interface was UP and the
card was offline, they are not set again.

Reproduction: chzdev -e $devno layer2=0 ip link set dev $network_interface up echo 0 > /sys/bus/ccw ---truncated---

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/07/2024

The vulnerability CVE-2024-36928 affects the Linux kernel's s390/qeth network driver, specifically when handling the hsuid attribute on IQD Layer3 devices. This flaw manifests as a kernel panic during the execution of a NULL function pointer, resulting in a system crash that halts normal operations. The issue arises from improper handling of the NAPI (Network API) polling mechanism within the qeth driver, which is responsible for processing network packets in interrupt contexts on IBM System/390 architectures. The panic occurs when attempting to set the hsuid attribute on a network interface that is already in the UP state, triggering an attempt to execute a NULL napi.poll function pointer.

The root cause stems from changes made in commit 1cfef80d4c2b where qeth_set_offline() and qeth_set_online() no longer invoke dev_close() and dev_open() operations. This change inadvertently affects how NAPI structures are managed during device state transitions. When qeth_free_qdio_queues() is executed while the network interface remains in the UP state but the device is offline, the napi.poll function pointers are cleared but not properly reinitialized upon reactivation. The NAPI structure for each output queue card->qdio.out_qs[i].napi contains a poll function pointer that gets set during the qeth_open() initialization process, but this setup is bypassed when the device transitions through offline states without proper cleanup and reinitialization. The error trace shows the kernel attempting to execute __napi_poll which leads to a fatal exception in interrupt context, ultimately causing a kernel panic.

This vulnerability has significant operational impact in enterprise environments running Linux on IBM System/390 infrastructure, particularly in high-availability scenarios where network interface state changes occur frequently. The kernel panic results in complete system downtime requiring manual intervention for recovery, potentially disrupting critical services. The flaw affects systems using the qeth_l3 kernel module with IQD Layer3 devices, commonly found in mainframe and enterprise computing environments. According to CWE classification, this represents a CWE-476: NULL Pointer Dereference, where the NAPI poll function pointer becomes NULL during execution. From an ATT&CK perspective, this vulnerability could be leveraged by adversaries to cause denial-of-service conditions or potentially escalate privileges if the system is not properly secured against malicious network configuration changes.

Mitigation strategies include applying the kernel patch that resolves the NAPI structure initialization issue during device state transitions, ensuring proper reinitialization of napi.poll function pointers when devices return to online state. System administrators should also implement monitoring for network interface state changes and consider disabling hsuid attribute modifications during active network operations. The most effective solution is to update to a patched kernel version that correctly handles the NAPI structure management during device offline/online transitions, preventing the NULL pointer dereference that leads to kernel panic. Additionally, implementing proper error handling and validation checks in the network driver code can help prevent similar issues in future implementations.

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!