cve/published/2024/CVE-2024-50020.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50020: ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()

 This patch addresses an issue with improper reference count handling in the
 ice_sriov_set_msix_vec_count() function.

 First, the function calls ice_get_vf_by_id(), which increments the
 reference count of the vf pointer. If the subsequent call to
 ice_get_vf_vsi() fails, the function currently returns an error without
 decrementing the reference count of the vf pointer, leading to a reference
 count leak. The correct behavior, as implemented in this patch, is to
 decrement the reference count using ice_put_vf(vf) before returning an
 error when vsi is NULL.

 Second, the function calls ice_sriov_get_irqs(), which sets
 vf->first_vector_idx. If this call returns a negative value, indicating an
 error, the function returns an error without decrementing the reference
 count of the vf pointer, resulting in another reference count leak. The
 patch addresses this by adding a call to ice_put_vf(vf) before returning
 an error when vf->first_vector_idx < 0.

 This bug was identified by an experimental static analysis tool developed
 by our team. The tool specializes in analyzing reference count operations
 and identifying potential mismanagement of reference counts. In this case,
 the tool flagged the missing decrement operation as a potential issue,
 leading to this patch.

 The Linux kernel CVE team has assigned CVE-2024-50020 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit 4d38cb44bd321c81da3457cfbc38501ed8cb6714 and fixed in 6.11.4 with commit 416dbb815ca69684de148328990ba0ec53e6dbc1
 	Issue introduced in 6.7 with commit 4d38cb44bd321c81da3457cfbc38501ed8cb6714 and fixed in 6.12 with commit d517cf89874c6039e6294b18d66f40988e62502a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50020
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ice/ice_sriov.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/416dbb815ca69684de148328990ba0ec53e6dbc1
 	https://git.kernel.org/stable/c/d517cf89874c6039e6294b18d66f40988e62502a
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50020: ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()

	This patch addresses an issue with improper reference count handling in the
	ice_sriov_set_msix_vec_count() function.

	First, the function calls ice_get_vf_by_id(), which increments the
	reference count of the vf pointer. If the subsequent call to
	ice_get_vf_vsi() fails, the function currently returns an error without
	decrementing the reference count of the vf pointer, leading to a reference
	count leak. The correct behavior, as implemented in this patch, is to
	decrement the reference count using ice_put_vf(vf) before returning an
	error when vsi is NULL.

	Second, the function calls ice_sriov_get_irqs(), which sets
	vf->first_vector_idx. If this call returns a negative value, indicating an
	error, the function returns an error without decrementing the reference
	count of the vf pointer, resulting in another reference count leak. The
	patch addresses this by adding a call to ice_put_vf(vf) before returning
	an error when vf->first_vector_idx < 0.

	This bug was identified by an experimental static analysis tool developed
	by our team. The tool specializes in analyzing reference count operations
	and identifying potential mismanagement of reference counts. In this case,
	the tool flagged the missing decrement operation as a potential issue,
	leading to this patch.

	The Linux kernel CVE team has assigned CVE-2024-50020 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit 4d38cb44bd321c81da3457cfbc38501ed8cb6714 and fixed in 6.11.4 with commit 416dbb815ca69684de148328990ba0ec53e6dbc1
	Issue introduced in 6.7 with commit 4d38cb44bd321c81da3457cfbc38501ed8cb6714 and fixed in 6.12 with commit d517cf89874c6039e6294b18d66f40988e62502a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50020
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ice/ice_sriov.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/416dbb815ca69684de148328990ba0ec53e6dbc1
	https://git.kernel.org/stable/c/d517cf89874c6039e6294b18d66f40988e62502a