{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-36928","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-30T15:25:07.069Z","datePublished":"2024-05-30T15:29:20.854Z","dateUpdated":"2025-05-04T12:56:31.287Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:56:31.287Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754]            00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756]            000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758]            00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000                illegal\n                         >0000000000000002: 0000                illegal\n                          0000000000000004: 0000                illegal\n                          0000000000000006: 0000                illegal\n                          0000000000000008: 0000                illegal\n                          000000000000000a: 0000                illegal\n                          000000000000000c: 0000                illegal\n                          000000000000000e: 0000                illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803]  [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809]  [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813]  [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822]  [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825]  [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827]  [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830]  [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833]  [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835]  [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839]  [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841]  [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844]  [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/s390/net/qeth_core_main.c"],"versions":[{"version":"64e3affee2881bb22df7ce45dd1f1fd7990e382b","lessThan":"8792b557eb50b986f2496156d486d0c7c85a1524","status":"affected","versionType":"git"},{"version":"86818409f989fee29c38528ed8fb085655603356","lessThan":"10cb803aff3b11fe0bd5f274fc1c231a43e88df6","status":"affected","versionType":"git"},{"version":"1cfef80d4c2b2c599189f36f36320b205d9447d9","lessThan":"e28dd1e1bf3ebb52cdb877fb359e8978a51576e3","status":"affected","versionType":"git"},{"version":"1cfef80d4c2b2c599189f36f36320b205d9447d9","lessThan":"eae0aec245712c52a3ce9c05575b541a9eef5282","status":"affected","versionType":"git"},{"version":"1cfef80d4c2b2c599189f36f36320b205d9447d9","lessThan":"8a2e4d37afb8500b276e5ee903dee06f50ab0494","status":"affected","versionType":"git"},{"version":"c33d5a5c5b2c79326190885040f1643793c67b29","status":"affected","versionType":"git"},{"version":"29d6fe395087710280f8e11d4ae79569c4cb14b7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/s390/net/qeth_core_main.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"5.15.159","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.91","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.31","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.10","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.126","versionEndExcluding":"5.15.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.45","versionEndExcluding":"6.1.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.8.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524"},{"url":"https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6"},{"url":"https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3"},{"url":"https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282"},{"url":"https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494"}],"title":"s390/qeth: Fix kernel panic after setting hsuid","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-noinfo Not enough information"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":4.4,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"HIGH","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-05-31T18:29:03.569739Z","id":"CVE-2024-36928","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-06T15:55:40.336Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:43:50.063Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494","tags":["x_transferred"]}]}]}}