HIGH
pci ASPM LinkState UAF
CVE-2024-58093
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log]
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the PCI ASPM subsystem can cause kernel crashes (GPF - General Protection Fault) during PCIe device hot-unplug operations. The issue occurs when multi-function PCIe switch devices are removed in certain orders, leading to premature cleanup of link state structures that are still referenced by other components. This primarily affects systems with hot-pluggable PCIe devices and can result in system instability or denial of service.
Vulnerability analysis
Root Cause: The PCI ASPM (Active State Power Management) subsystem had incorrect timing for freeing link state structures during multi-function device removal. A previous fix (456d8aa37d0f) attempted to resolve a use-after-free by freeing the ASPM parent link state upon any function removal, but this was too aggressive. When removing non-zero functions first from a PCIe switch with multi-function devices on the upstream port, the link state would be freed while it was still being referenced as parent_link by remaining downstream ports.
Attack Surface: This vulnerability is triggered during PCI device hot-unplug operations, particularly when PCIe hotplug (pciehp) removes devices in reverse order. The issue affects systems with PCIe switches that have multi-function devices on upstream ports. No special privileges are required beyond the ability to trigger PCI device removal (typically through sysfs or physical hot-unplug), making it accessible to local users with appropriate permissions.
Fix Mechanism: The patch refines the link state cleanup logic to only free the parent link state when function 0 (the virtual P2P bridge) is removed. This ensures that: (1) the link state remains valid for all subordinate downstream ports until function 0 removal, and (2) the cleanup happens before the parent link becomes obsolete. The fix adds a check `if (pdev != link->downstream) goto out;` to skip premature cleanup for non-zero functions.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.11 | 5.11 | — |
| 5.16 | 5.16 | — |
| 5.5 | 5.5 | cbf937dcadfd |
| 6.2 | 6.2 | — |
| 6.4 | 6.4 | — |
| 6.5 | 6.5 | — |
| mainline | 6.15 | — |