cve/published/2024/CVE-2024-46679.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46679: ethtool: check device is present when getting link settings

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ethtool: check device is present when getting link settings

 A sysfs reader can race with a device reset or removal, attempting to
 read device state when the device is not actually present. eg:

      [exception RIP: qed_get_current_link+17]
   #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
   #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
  #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
  #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
  #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
  #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
  #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
  #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
  #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
  #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb

  crash> struct net_device.state ffff9a9d21336000
     state = 5,

 state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
 The device is not present, note lack of __LINK_STATE_PRESENT (0b10).

 This is the same sort of panic as observed in commit 4224cfd7fb65
 ("net-sysfs: add check for netdevice being present to speed_show").

 There are many other callers of __ethtool_get_link_ksettings() which
 don't have a device presence check.

 Move this check into ethtool to protect all callers.

 The Linux kernel CVE team has assigned CVE-2024-46679 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.4.283 with commit ec7b4f7f644018ac293cb1b02528a40a32917e62
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.10.225 with commit 842a40c7273ba1c1cb30dda50405b328de1d860e
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.15.166 with commit 7a8d98b6d6484d3ad358510366022da080c37cbc
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.1.108 with commit 9bba5955eed160102114d4cc00c3d399be9bdae4
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.6.49 with commit 94ab317024ba373d37340893d1c0358638935fbb
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.10.8 with commit 1d6d9b5b1b95bfeccb84386a51b7e6c510ec13b2
 	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.11 with commit a699781c79ecf6cfe67fb00a0331b4088c7c8466

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46679
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/net-sysfs.c
 	net/ethtool/ioctl.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ec7b4f7f644018ac293cb1b02528a40a32917e62
 	https://git.kernel.org/stable/c/842a40c7273ba1c1cb30dda50405b328de1d860e
 	https://git.kernel.org/stable/c/7a8d98b6d6484d3ad358510366022da080c37cbc
 	https://git.kernel.org/stable/c/9bba5955eed160102114d4cc00c3d399be9bdae4
 	https://git.kernel.org/stable/c/94ab317024ba373d37340893d1c0358638935fbb
 	https://git.kernel.org/stable/c/1d6d9b5b1b95bfeccb84386a51b7e6c510ec13b2
 	https://git.kernel.org/stable/c/a699781c79ecf6cfe67fb00a0331b4088c7c8466
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46679: ethtool: check device is present when getting link settings

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ethtool: check device is present when getting link settings

	A sysfs reader can race with a device reset or removal, attempting to
	read device state when the device is not actually present. eg:

	[exception RIP: qed_get_current_link+17]
	#8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
	#9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
	#10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
	#11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
	#12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
	#13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
	#14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
	#15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
	#16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
	#17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb

	crash> struct net_device.state ffff9a9d21336000
	state = 5,

	state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
	The device is not present, note lack of __LINK_STATE_PRESENT (0b10).

	This is the same sort of panic as observed in commit 4224cfd7fb65
	("net-sysfs: add check for netdevice being present to speed_show").

	There are many other callers of __ethtool_get_link_ksettings() which
	don't have a device presence check.

	Move this check into ethtool to protect all callers.

	The Linux kernel CVE team has assigned CVE-2024-46679 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.4.283 with commit ec7b4f7f644018ac293cb1b02528a40a32917e62
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.10.225 with commit 842a40c7273ba1c1cb30dda50405b328de1d860e
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 5.15.166 with commit 7a8d98b6d6484d3ad358510366022da080c37cbc
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.1.108 with commit 9bba5955eed160102114d4cc00c3d399be9bdae4
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.6.49 with commit 94ab317024ba373d37340893d1c0358638935fbb
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.10.8 with commit 1d6d9b5b1b95bfeccb84386a51b7e6c510ec13b2
	Issue introduced in 2.6.33 with commit d519e17e2d01a0ee9abe083019532061b4438065 and fixed in 6.11 with commit a699781c79ecf6cfe67fb00a0331b4088c7c8466

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46679
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/net-sysfs.c
	net/ethtool/ioctl.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ec7b4f7f644018ac293cb1b02528a40a32917e62
	https://git.kernel.org/stable/c/842a40c7273ba1c1cb30dda50405b328de1d860e
	https://git.kernel.org/stable/c/7a8d98b6d6484d3ad358510366022da080c37cbc
	https://git.kernel.org/stable/c/9bba5955eed160102114d4cc00c3d399be9bdae4
	https://git.kernel.org/stable/c/94ab317024ba373d37340893d1c0358638935fbb
	https://git.kernel.org/stable/c/1d6d9b5b1b95bfeccb84386a51b7e6c510ec13b2
	https://git.kernel.org/stable/c/a699781c79ecf6cfe67fb00a0331b4088c7c8466