| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-48652: ice: Fix crash by keep old cfg when update TCs more than queues |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ice: Fix crash by keep old cfg when update TCs more than queues |
| |
| There are problems if allocated queues less than Traffic Classes. |
| |
| Commit a632b2a4c920 ("ice: ethtool: Prohibit improper channel config |
| for DCB") already disallow setting less queues than TCs. |
| |
| Another case is if we first set less queues, and later update more TCs |
| config due to LLDP, ice_vsi_cfg_tc() will failed but left dirty |
| num_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access. |
| |
| [ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated. |
| [ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)! |
| [ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0 |
| [ 95.969621] general protection fault: 0000 [#1] SMP NOPTI |
| [ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1 |
| [ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021 |
| [ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60 |
| [ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c |
| [ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206 |
| [ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0 |
| [ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200 |
| [ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000 |
| [ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100 |
| [ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460 |
| [ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000 |
| [ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| [ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0 |
| [ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| [ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| [ 95.971530] PKRU: 55555554 |
| [ 95.971573] Call Trace: |
| [ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice] |
| [ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice] |
| [ 95.971774] ice_vsi_open+0x25/0x120 [ice] |
| [ 95.971843] ice_open_internal+0xb8/0x1f0 [ice] |
| [ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice] |
| [ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice] |
| [ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice] |
| [ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice] |
| [ 95.972220] dcbnl_ieee_set+0x89/0x230 |
| [ 95.972279] ? dcbnl_ieee_del+0x150/0x150 |
| [ 95.972341] dcb_doit+0x124/0x1b0 |
| [ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0 |
| [ 95.972457] ? dcb_doit+0x14d/0x1b0 |
| [ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280 |
| [ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100 |
| [ 95.972661] netlink_rcv_skb+0xcf/0xf0 |
| [ 95.972720] netlink_unicast+0x16d/0x220 |
| [ 95.972781] netlink_sendmsg+0x2ba/0x3a0 |
| [ 95.975891] sock_sendmsg+0x4c/0x50 |
| [ 95.979032] ___sys_sendmsg+0x2e4/0x300 |
| [ 95.982147] ? kmem_cache_alloc+0x13e/0x190 |
| [ 95.985242] ? __wake_up_common_lock+0x79/0x90 |
| [ 95.988338] ? __check_object_size+0xac/0x1b0 |
| [ 95.991440] ? _copy_to_user+0x22/0x30 |
| [ 95.994539] ? move_addr_to_user+0xbb/0xd0 |
| [ 95.997619] ? __sys_sendmsg+0x53/0x80 |
| [ 96.000664] __sys_sendmsg+0x53/0x80 |
| [ 96.003747] do_syscall_64+0x5b/0x1d0 |
| [ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca |
| |
| Only update num_txq/rxq when passed check, and restore tc_cfg if setup |
| queue map failed. |
| |
| The Linux kernel CVE team has assigned CVE-2022-48652 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.19 with commit a632b2a4c920ce5af29410fb091f7ee6d2e77dc6 and fixed in 5.19.12 with commit 7c945e5b4787db47d728120b56c934ba05f99864 |
| Issue introduced in 5.19 with commit a632b2a4c920ce5af29410fb091f7ee6d2e77dc6 and fixed in 6.0 with commit a509702cac95a8b450228a037c8542f57e538e5b |
| Issue introduced in 5.18.8 with commit 4520c4bf4dca7aa285f30cb1ca8c08c531bbf0e9 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-48652 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/ethernet/intel/ice/ice_lib.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/7c945e5b4787db47d728120b56c934ba05f99864 |
| https://git.kernel.org/stable/c/a509702cac95a8b450228a037c8542f57e538e5b |
