CVE-2024-58006: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()
In the Linux kernel, the following vulnerability has been resolved:
PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()
In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update
inbound map address") set_bar() was modified to support dynamically
changing the backing physical address of a BAR that was already configured.
This means that set_bar() can be called twice, without ever calling
clear_bar() (as calling clear_bar() would clear the BAR's PCI address
assigned by the host).
This can only be done if the new BAR size/flags does not differ from the
existing BAR configuration. Add these missing checks.
If we allow set_bar() to set e.g. a new BAR size that differs from the
existing BAR size, the new address translation range will be smaller than
the BAR size already determined by the host, which would mean that a read
past the new BAR size would pass the iATU untranslated, which could allow
the host to read memory not belonging to the new struct pci_epf_bar.
While at it, add comments which clarifies the support for dynamically
changing the physical address of a BAR. (Which was also missing.)
Security readout for executives and security teams
Plain-English summary
A Linux PCI endpoint bug could let a connected PCI host read memory outside the intended endpoint BAR mapping when BAR size or flags are changed incorrectly. The source does not provide CVSS, confirmed affected distributions, or exploitation evidence.
Executive priority
Treat as a targeted kernel exposure, not a broad internet-facing emergency based on current evidence. Prioritize asset identification and patch planning for PCI endpoint systems, especially embedded or appliance-like deployments using affected Linux kernels.
Technical view
The flaw is in Linux PCI DesignWare endpoint handling. pci_epc_set_bar() could be called again to change a BAR backing address, but lacked checks preventing size or flag changes. A smaller new iATU translation range than the host-assigned BAR could allow reads beyond the intended pci_epf_bar memory.
Likely exposure
Exposure appears limited to Linux systems using the PCI DesignWare endpoint path and affected kernel versions. The provided sources do not identify specific distributions, devices, cloud platforms, or default configurations as affected.
Exploitation context
The bundle does not show active exploitation, public exploit code, or KEV listing. The issue requires a PCI host interacting with an affected Linux endpoint BAR configuration path, so practical exposure depends on hardware role and driver use.
Researcher notes
Key behavior is the missing invariant check: re-setting an existing BAR must not change size or flags. The source states mismatched translation size versus host BAR size could let host reads pass iATU untranslated and reach unintended memory.
Mitigation direction
Apply vendor kernel updates that include the referenced Linux stable fixes.
Prioritize systems operating as PCI endpoints with DesignWare endpoint support.
Check distribution advisories for backported fixes and supported kernel package names.
Avoid custom kernel changes that alter BAR size or flags without the upstream checks.
Validation and detection
Inventory Linux kernels against CVE-2024-58006 and vendor security advisories.
Confirm whether PCI DesignWare endpoint functionality is enabled or used.
Review kernel changelogs for the referenced stable commits or CVE mention.
Validate remediation in staging before deploying kernel updates to endpoint devices.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-58006 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 27, 2025, 02:12 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.