{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36962", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.081Z", "datePublished": "2024-06-03T07:50:00.425Z", "dateUpdated": "2025-05-04T09:12:54.685Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:12:54.685Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\n\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\n\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\n\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/micrel/ks8851_common.c"], "versions": [{"version": "492337a4fbd1421b42df684ee9b34be2a2722540", "lessThan": "8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545", "status": "affected", "versionType": "git"}, {"version": "cba376eb036c2c20077b41d47b317d8218fe754f", "lessThan": "ae87f661f3c1a3134a7ed86ab69bf9f12af88993", "status": "affected", "versionType": "git"}, {"version": "49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b", "lessThan": "7e2901a2a9195da76111f351584bf77552a038f0", "status": "affected", "versionType": "git"}, {"version": "be0384bf599cf1eb8d337517feeb732d71f75a6f", "lessThan": "e0863634bf9f7cf36291ebb5bfa2d16632f79c49", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/micrel/ks8851_common.c"], "versions": [{"version": "6.1.87", "lessThan": "6.1.91", "status": "affected", "versionType": "semver"}, {"version": "6.6.28", "lessThan": "6.6.31", "status": "affected", "versionType": "semver"}, {"version": "6.8.7", "lessThan": "6.8.10", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.87", "versionEndExcluding": "6.1.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.28", "versionEndExcluding": "6.6.31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.7", "versionEndExcluding": "6.8.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545"}, {"url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993"}, {"url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0"}, {"url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49"}], "title": "net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-03T18:04:06.438716Z", "id": "CVE-2024-36962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-04T16:21:03.956Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.389Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.389Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36962", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-03T18:04:06.438716Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T18:04:50.628Z"}}], "cna": {"title": "net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "492337a4fbd1", "lessThan": "8a3ff43dcbab", "versionType": "git"}, {"status": "affected", "version": "cba376eb036c", "lessThan": "ae87f661f3c1", "versionType": "git"}, {"status": "affected", "version": "49d5d70538b6", "lessThan": "7e2901a2a919", "versionType": "git"}, {"status": "affected", "version": "be0384bf599c", "lessThan": "e0863634bf9f", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/micrel/ks8851_common.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.1.87", "lessThan": "6.1.91", "versionType": "semver"}, {"status": "affected", "version": "6.6.28", "lessThan": "6.6.31", "versionType": "semver"}, {"status": "affected", "version": "6.8.7", "lessThan": "6.8.10", "versionType": "semver"}], "programFiles": ["drivers/net/ethernet/micrel/ks8851_common.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545"}, {"url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993"}, {"url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0"}, {"url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\n\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\n\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\n\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:28:53.585Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36962", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:28:53.585Z", "dateReserved": "2024-05-30T15:25:07.081Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-03T07:50:00.425Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\n\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\n\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\n\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ks8851: Cola de paquetes RX en el controlador IRQ en lugar de deshabilitar los BH Actualmente, el controlador usa local_bh_disable()/local_bh_enable() en su controlador IRQ para evitar activar el softirq net_rx_action() al salir de netif_rx(). net_rx_action() podr\u00eda activar esta devoluci\u00f3n de llamada del controlador .start_xmit, que est\u00e1 protegido por el mismo candado que el controlador IRQ, por lo que llamar al .start_xmit desde netif_rx() desde la secci\u00f3n cr\u00edtica del controlador IRQ protegido por el bloqueo podr\u00eda llevar a un intento de reclamar el candado ya reclamado y un colgado. El enfoque local_bh_disable()/local_bh_enable() funciona s\u00f3lo en caso de que el controlador IRQ est\u00e9 protegido por un spinlock, pero no funciona si el controlador IRQ est\u00e1 protegido por mutex, es decir, esto funciona para KS8851 con interfaz de bus paralelo, pero no para KS8851 con Interfaz de bus SPI. Elimine la manipulaci\u00f3n de BH y en lugar de llamar a netif_rx() dentro del c\u00f3digo del controlador IRQ protegido por el bloqueo, primero ponga en cola todos los SKB recibidos en el controlador IRQ y, una vez que el controlador IRQ salga de la secci\u00f3n cr\u00edtica protegida por el bloqueo, retire la cola. todos los SKB en cola y env\u00edelos todos a netif_rx(). En este punto, es seguro activar el softirq net_rx_action(), ya que la llamada netif_rx() est\u00e1 fuera del bloqueo que protege el controlador IRQ."}], "id": "CVE-2024-36962", "lastModified": "2024-11-21T09:22:55.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-03T08:15:09.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/7e2901a2a9195da76111f351584bf77552a038f0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/8a3ff43dcbab7c96f9e8cf2bd1049ab8d6e59545"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/ae87f661f3c1a3134a7ed86ab69bf9f12af88993"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e0863634bf9f7cf36291ebb5bfa2d16632f79c49"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs", "id": "2290406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2290406"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-667", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler."], "name": "CVE-2024-36962", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36962\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36962\nhttps://lore.kernel.org/linux-cve-announce/2024060344-CVE-2024-36962-c630@gregkh/T"], "threat_severity": "Low"}