{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-35907","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-17T13:50:33.120Z","datePublished":"2024-05-19T08:35:00.399Z","dateUpdated":"2025-05-04T09:08:07.128Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:08:07.128Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled.  The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n   the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n   during its open(), something like:\n\n     Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n     Mem abort info:\n       ESR = 0x0000000086000004\n       EC = 0x21: IABT (current EL), IL = 32 bits\n       SET = 0, FnV = 0\n       EA = 0, S1PTW = 0\n       FSC = 0x04: level 0 translation fault\n     user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n     [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n     Internal error: Oops: 0000000086000004 [#1] SMP\n     CPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu\n     Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n     pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n     pc : 0x0\n     lr : __napi_poll+0x40/0x230\n     sp : ffff800008003e00\n     x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n     x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n     x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n     x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n     x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n     x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n     x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n     x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n     x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n     x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n     Call trace:\n      0x0\n      net_rx_action+0x178/0x360\n      __do_softirq+0x15c/0x428\n      __irq_exit_rcu+0xac/0xec\n      irq_exit+0x18/0x2c\n      handle_domain_irq+0x6c/0xa0\n      gic_handle_irq+0xec/0x1b0\n      call_on_irq_stack+0x20/0x2c\n      do_interrupt_handler+0x5c/0x70\n      el1_interrupt+0x30/0x50\n      el1h_64_irq_handler+0x18/0x2c\n      el1h_64_irq+0x7c/0x80\n      __setup_irq+0x4c0/0x950\n      request_threaded_irq+0xf4/0x1bc\n      mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n      mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n      __dev_open+0x100/0x220\n      __dev_change_flags+0x16c/0x1f0\n      dev_change_flags+0x2c/0x70\n      do_setlink+0x220/0xa40\n      __rtnl_newlink+0x56c/0x8a0\n      rtnl_newlink+0x58/0x84\n      rtnetlink_rcv_msg+0x138/0x3c4\n      netlink_rcv_skb+0x64/0x130\n      rtnetlink_rcv+0x20/0x30\n      netlink_unicast+0x2ec/0x360\n      netlink_sendmsg+0x278/0x490\n      __sock_sendmsg+0x5c/0x6c\n      ____sys_sendmsg+0x290/0x2d4\n      ___sys_sendmsg+0x84/0xd0\n      __sys_sendmsg+0x70/0xd0\n      __arm64_sys_sendmsg+0x2c/0x40\n      invoke_syscall+0x78/0x100\n      el0_svc_common.constprop.0+0x54/0x184\n      do_el0_svc+0x30/0xac\n      el0_svc+0x48/0x160\n      el0t_64_sync_handler+0xa4/0x12c\n      el0t_64_sync+0x1a4/0x1a8\n     Code: bad PC value\n     ---[ end trace 7d1c3f3bf9d81885 ]---\n     Kernel panic - not syncing: Oops: Fatal exception in interrupt\n     Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n     PHYS_OFFSET: 0x80000000\n     CPU features: 0x0,000005c1,a3332a5a\n     Memory Limit: none\n     ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes.  Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c"],"versions":[{"version":"f92e1869d74e1acc6551256eb084a1c14a054e19","lessThan":"a583117668ddb86e98f2e11c7caa3db0e6df52a3","status":"affected","versionType":"git"},{"version":"f92e1869d74e1acc6551256eb084a1c14a054e19","lessThan":"24444af5ddf729376b90db0f135fa19973cb5dab","status":"affected","versionType":"git"},{"version":"f92e1869d74e1acc6551256eb084a1c14a054e19","lessThan":"867a2f598af6a645c865d1101b58c5e070c6dd9e","status":"affected","versionType":"git"},{"version":"f92e1869d74e1acc6551256eb084a1c14a054e19","lessThan":"8feb1652afe9c5d019059a55c90f70690dce0f52","status":"affected","versionType":"git"},{"version":"f92e1869d74e1acc6551256eb084a1c14a054e19","lessThan":"f7442a634ac06b953fc1f7418f307b25acd4cfbc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c"],"versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","status":"unaffected","versionType":"semver"},{"version":"5.15.154","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.85","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.26","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.5","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"5.15.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1.85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.6.26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.8.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3"},{"url":"https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab"},{"url":"https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e"},{"url":"https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52"},{"url":"https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc"}],"title":"mlxbf_gige: call request_irq() after NAPI initialized","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T17:38:42.531045Z","id":"CVE-2024-35907","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T17:41:26.881Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:21:48.853Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc","tags":["x_transferred"]}]}]}}