Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:PCI: switchtec: Fix stdev_release() crash after surprise hot removeA PCI device hot removal may occur while stdev->cdev is held open. The callto stdev_release() then happens during close or exit, at a point way pastswitchtec_pci_remove(). Otherwise the last ref would vanish with thetrailing put_device(), just before return.At that later point in time, the devm cleanup has already removed thestdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a countedone. Therefore, in DMA mode, the iowrite32() in stdev_release() will causea fatal page fault, and the subsequent dma_free_coherent(), if reached,would pass a stale &stdev->pdev->dev pointer.Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), afterstdev_kill(). Counting the stdev->pdev ref is now optional, but may preventfuture accidents.Reproducible via the script athttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
No PoCs from references.
- https://github.com/NaInSec/CVE-LIST