{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53214", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-11-19T17:17:25.023Z", "datePublished": "2024-12-27T13:49:59.555Z", "dateUpdated": "2025-05-04T09:56:06.212Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:56:06.212Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended capability\n\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\n\nHiding a capability is done by virtualizing and modifying the 'Next\nCapability Offset' field of the previous capability so it points to the\ncapability after the one that should be hidden.\n\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\n\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device->pci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\n\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\n\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n\n[1]\n\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n <TASK>\n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x140\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? report_bug+0x18f/0x1a0\n ? handle_bug+0x63/0xa0\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\n vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\n vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\n vfio_device_fops_read+0x27/0x40 [vfio]\n vfs_read+0xbd/0x340\n ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n ? __rseq_handle_notify_resume+0xa4/0x4b0\n __x64_sys_pread64+0x96/0xc0\n x64_sys_call+0x1c3d/0x20d0\n do_syscall_64+0x4d/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_config.c"], "versions": [{"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "4464e5aa3aa4574063640f1082f7d7e323af8eb4", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "7d121f66b67921fb3b95e0ea9856bfba53733e91", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "0918f5643fc6c3f7801f4a22397d2cc09ba99207", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "9567bd34aa3b986736c290c5bcba47e0182ac47a", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "6c6502d944168cbd7e03a4a08ad6488f78d73485", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "06f2fcf49854ad05a09d09e0dbee6544fff04695", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "949bee8065a85a5c6607c624dc05b5bc17119699", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "1ef195178fb552478eb2587df4ad3be14ef76507", "status": "affected", "versionType": "git"}, {"version": "89e1f7d4c66d85f42c3d52ea3866eb10cadf6153", "lessThan": "fe4bf8d0b6716a423b16495d55b35d3fe515905d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_config.c"], "versions": [{"version": "3.6", "status": "affected"}, {"version": "0", "lessThan": "3.6", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.325", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.287", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.231", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.174", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.120", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.64", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.11", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "4.19.325"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.4.287"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.10.231"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.15.174"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.1.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.6.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.11.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.12.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4"}, {"url": "https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91"}, {"url": "https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207"}, {"url": "https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a"}, {"url": "https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485"}, {"url": "https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695"}, {"url": "https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc17119699"}, {"url": "https://git.kernel.org/stable/c/1ef195178fb552478eb2587df4ad3be14ef76507"}, {"url": "https://git.kernel.org/stable/c/fe4bf8d0b6716a423b16495d55b35d3fe515905d"}], "title": "vfio/pci: Properly hide first-in-list PCIe extended capability", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended capability\n\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\n\nHiding a capability is done by virtualizing and modifying the 'Next\nCapability Offset' field of the previous capability so it points to the\ncapability after the one that should be hidden.\n\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\n\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device->pci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\n\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\n\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n\n[1]\n\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n <TASK>\n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x140\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? report_bug+0x18f/0x1a0\n ? handle_bug+0x63/0xa0\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\n vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\n vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\n vfio_device_fops_read+0x27/0x40 [vfio]\n vfs_read+0xbd/0x340\n ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n ? __rseq_handle_notify_resume+0xa4/0x4b0\n __x64_sys_pread64+0x96/0xc0\n x64_sys_call+0x1c3d/0x20d0\n do_syscall_64+0x4d/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"}], "id": "CVE-2024-53214", "lastModified": "2024-12-27T14:15:29.337", "metrics": {}, "published": "2024-12-27T14:15:29.337", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06f2fcf49854ad05a09d09e0dbee6544fff04695"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0918f5643fc6c3f7801f4a22397d2cc09ba99207"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ef195178fb552478eb2587df4ad3be14ef76507"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4464e5aa3aa4574063640f1082f7d7e323af8eb4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6c6502d944168cbd7e03a4a08ad6488f78d73485"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7d121f66b67921fb3b95e0ea9856bfba53733e91"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/949bee8065a85a5c6607c624dc05b5bc17119699"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9567bd34aa3b986736c290c5bcba47e0182ac47a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe4bf8d0b6716a423b16495d55b35d3fe515905d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: vfio/pci: Properly hide first-in-list PCIe extended capability", "id": "2334387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334387"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvfio/pci: Properly hide first-in-list PCIe extended capability\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\nHiding a capability is done by virtualizing and modifying the 'Next\nCapability Offset' field of the previous capability so it points to the\ncapability after the one that should be hidden.\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device->pci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n[1]\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n<TASK>\n? show_regs+0x69/0x80\n? __warn+0x8d/0x140\n? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n? report_bug+0x18f/0x1a0\n? handle_bug+0x63/0xa0\n? exc_invalid_op+0x19/0x70\n? asm_exc_invalid_op+0x1b/0x20\n? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\nvfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\nvfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\nvfio_device_fops_read+0x27/0x40 [vfio]\nvfs_read+0xbd/0x340\n? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n? __rseq_handle_notify_resume+0xa4/0x4b0\n__x64_sys_pread64+0x96/0xc0\nx64_sys_call+0x1c3d/0x20d0\ndo_syscall_64+0x4d/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e"], "name": "CVE-2024-53214", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53214\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53214\nhttps://lore.kernel.org/linux-cve-announce/2024122731-CVE-2024-53214-5fbf@gregkh/T"], "threat_severity": "Low"}