Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-39502.mbox
blob: f3ecb90276badd51f2eed30a92202cac34b189b6 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-39502: ionic: fix use after netif_napi_del()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ionic: fix use after netif_napi_del()
When queues are started, netif_napi_add() and napi_enable() are called.
If there are 4 queues and only 3 queues are used for the current
configuration, only 3 queues' napi should be registered and enabled.
The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
enabling only the using queue' napi. Unused queues' napi will not be
registered by netif_napi_add(), so the .poll pointer indicates NULL.
But it couldn't distinguish whether the napi was unregistered or not
because netif_napi_del() doesn't reset the .poll pointer to NULL.
So, ionic_qcq_enable() calls napi_enable() for the queue, which was
unregistered by netif_napi_del().
Reproducer:
ethtool -L <interface name> rx 1 tx 1 combined 0
ethtool -L <interface name> rx 0 tx 0 combined 1
ethtool -L <interface name> rx 0 tx 0 combined 4
Splat looks like:
kernel BUG at net/core/dev.c:6666!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
Workqueue: events ionic_lif_deferred_work [ionic]
RIP: 0010:napi_enable+0x3b/0x40
Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? die+0x33/0x90
? do_trap+0xd9/0x100
? napi_enable+0x3b/0x40
? do_error_trap+0x83/0xb0
? napi_enable+0x3b/0x40
? napi_enable+0x3b/0x40
? exc_invalid_op+0x4e/0x70
? napi_enable+0x3b/0x40
? asm_exc_invalid_op+0x16/0x20
? napi_enable+0x3b/0x40
ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
process_one_work+0x145/0x360
worker_thread+0x2bb/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xcc/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
The Linux kernel CVE team has assigned CVE-2024-39502 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 5.4.279 with commit 0d19267cb150e8f76ade210e16ee820a77f684e7
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 5.10.221 with commit ff9c2a9426ecf5b9631e9fd74993b357262387d6
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 5.15.162 with commit 8edd18dab443863e9e48f084e7f123fca3065e4e
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 6.1.95 with commit 60cd714871cd5a683353a355cbb17a685245cf84
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 6.6.35 with commit 183ebc167a8a19e916b885d4bb61a3491991bfa5
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 6.9.6 with commit a87d72b37b9ec2c1e18fe36b09241d8b30334a2e
Issue introduced in 5.4 with commit 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 and fixed in 6.10 with commit 79f18a41dd056115d685f3b0a419c7cd40055e13
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-39502
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/ethernet/pensando/ionic/ionic_lif.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7
https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6
https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e
https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84
https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5
https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e
https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13