cve/published/2024/CVE-2024-40923.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40923: vmxnet3: disable rx data ring on dma allocation failure

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vmxnet3: disable rx data ring on dma allocation failure

 When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,
 the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset
 rq->data_ring.desc_size for the data ring that failed, which presumably
 causes the hypervisor to reference it on packet reception.

 To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell
 the hypervisor to disable this feature.

 [   95.436876] kernel BUG at net/core/skbuff.c:207!
 [   95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
 [   95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1
 [   95.441558] Hardware name: VMware, Inc. VMware Virtual
 Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
 [   95.443481] RIP: 0010:skb_panic+0x4d/0x4f
 [   95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50
 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9
 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24
 [   95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246
 [   95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f
 [   95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f
 [   95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60
 [   95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000
 [   95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0
 [   95.455682] FS:  0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000
 [   95.457178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0
 [   95.459791] Call Trace:
 [   95.460515]  <IRQ>
 [   95.461180]  ? __die_body.cold+0x19/0x27
 [   95.462150]  ? die+0x2e/0x50
 [   95.462976]  ? do_trap+0xca/0x110
 [   95.463973]  ? do_error_trap+0x6a/0x90
 [   95.464966]  ? skb_panic+0x4d/0x4f
 [   95.465901]  ? exc_invalid_op+0x50/0x70
 [   95.466849]  ? skb_panic+0x4d/0x4f
 [   95.467718]  ? asm_exc_invalid_op+0x1a/0x20
 [   95.468758]  ? skb_panic+0x4d/0x4f
 [   95.469655]  skb_put.cold+0x10/0x10
 [   95.470573]  vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]
 [   95.471853]  vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]
 [   95.473185]  __napi_poll+0x2b/0x160
 [   95.474145]  net_rx_action+0x2c6/0x3b0
 [   95.475115]  handle_softirqs+0xe7/0x2a0
 [   95.476122]  __irq_exit_rcu+0x97/0xb0
 [   95.477109]  common_interrupt+0x85/0xa0
 [   95.478102]  </IRQ>
 [   95.478846]  <TASK>
 [   95.479603]  asm_common_interrupt+0x26/0x40
 [   95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20
 [   95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
 [   95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246
 [   95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000
 [   95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001
 [   95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3
 [   95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260
 [   95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000
 [   95.495035]  acpi_safe_halt+0x14/0x20
 [   95.496127]  acpi_idle_do_entry+0x2f/0x50
 [   95.497221]  acpi_idle_enter+0x7f/0xd0
 [   95.498272]  cpuidle_enter_state+0x81/0x420
 [   95.499375]  cpuidle_enter+0x2d/0x40
 [   95.500400]  do_idle+0x1e5/0x240
 [   95.501385]  cpu_startup_entry+0x29/0x30
 [   95.502422]  start_secondary+0x11c/0x140
 [   95.503454]  common_startup_64+0x13e/0x141
 [   95.504466]  </TASK>
 [   95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4
 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
 nf_defrag_ipv4 rfkill ip_set nf_tables vsock_loopback
 vmw_vsock_virtio_transport_common qrtr vmw_vsock_vmci_transport vsock
 sunrpc binfmt_misc pktcdvd vmw_balloon pcspkr vmw_vmci i2c_piix4 joydev
 loop dm_multipath nfnetlink zram crct10dif_pclmul crc32_pclmul vmwgfx
 crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel
 sha512_ssse3 sha256_ssse3 vmxnet3 sha1_ssse3 drm_ttm_helper vmw_pvscsi
 ttm ata_generic pata_acpi serio_raw scsi_dh_rdac scsi_dh_emc
 scsi_dh_alua ip6_tables ip_tables fuse
 [   95.516536] ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2024-40923 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.6.35 with commit 9ee14af24e67ef170108db547f7d1f701b3f2bc5
 	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.9.6 with commit aa116ae9d169e28b692292460aed27fc44f4a017
 	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.10 with commit ffbe335b8d471f79b259e950cb20999700670456

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40923
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/vmxnet3/vmxnet3_drv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5
 	https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017
 	https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40923: vmxnet3: disable rx data ring on dma allocation failure

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vmxnet3: disable rx data ring on dma allocation failure

	When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,
	the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset
	rq->data_ring.desc_size for the data ring that failed, which presumably
	causes the hypervisor to reference it on packet reception.

	To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell
	the hypervisor to disable this feature.

	[ 95.436876] kernel BUG at net/core/skbuff.c:207!
	[ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
	[ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1
	[ 95.441558] Hardware name: VMware, Inc. VMware Virtual
	Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
	[ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f
	[ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50
	ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9
	ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24
	[ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246
	[ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f
	[ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f
	[ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60
	[ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000
	[ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0
	[ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000
	[ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0
	[ 95.459791] Call Trace:
	[ 95.460515] <IRQ>
	[ 95.461180] ? __die_body.cold+0x19/0x27
	[ 95.462150] ? die+0x2e/0x50
	[ 95.462976] ? do_trap+0xca/0x110
	[ 95.463973] ? do_error_trap+0x6a/0x90
	[ 95.464966] ? skb_panic+0x4d/0x4f
	[ 95.465901] ? exc_invalid_op+0x50/0x70
	[ 95.466849] ? skb_panic+0x4d/0x4f
	[ 95.467718] ? asm_exc_invalid_op+0x1a/0x20
	[ 95.468758] ? skb_panic+0x4d/0x4f
	[ 95.469655] skb_put.cold+0x10/0x10
	[ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]
	[ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]
	[ 95.473185] __napi_poll+0x2b/0x160
	[ 95.474145] net_rx_action+0x2c6/0x3b0
	[ 95.475115] handle_softirqs+0xe7/0x2a0
	[ 95.476122] __irq_exit_rcu+0x97/0xb0
	[ 95.477109] common_interrupt+0x85/0xa0
	[ 95.478102] </IRQ>
	[ 95.478846] <TASK>
	[ 95.479603] asm_common_interrupt+0x26/0x40
	[ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20
	[ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
	[ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246
	[ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000
	[ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001
	[ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3
	[ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260
	[ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000
	[ 95.495035] acpi_safe_halt+0x14/0x20
	[ 95.496127] acpi_idle_do_entry+0x2f/0x50
	[ 95.497221] acpi_idle_enter+0x7f/0xd0
	[ 95.498272] cpuidle_enter_state+0x81/0x420
	[ 95.499375] cpuidle_enter+0x2d/0x40
	[ 95.500400] do_idle+0x1e5/0x240
	[ 95.501385] cpu_startup_entry+0x29/0x30
	[ 95.502422] start_secondary+0x11c/0x140
	[ 95.503454] common_startup_64+0x13e/0x141
	[ 95.504466] </TASK>
	[ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4
	nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
	nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
	nf_defrag_ipv4 rfkill ip_set nf_tables vsock_loopback
	vmw_vsock_virtio_transport_common qrtr vmw_vsock_vmci_transport vsock
	sunrpc binfmt_misc pktcdvd vmw_balloon pcspkr vmw_vmci i2c_piix4 joydev
	loop dm_multipath nfnetlink zram crct10dif_pclmul crc32_pclmul vmwgfx
	crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel
	sha512_ssse3 sha256_ssse3 vmxnet3 sha1_ssse3 drm_ttm_helper vmw_pvscsi
	ttm ata_generic pata_acpi serio_raw scsi_dh_rdac scsi_dh_emc
	scsi_dh_alua ip6_tables ip_tables fuse
	[ 95.516536] ---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2024-40923 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.6.35 with commit 9ee14af24e67ef170108db547f7d1f701b3f2bc5
	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.9.6 with commit aa116ae9d169e28b692292460aed27fc44f4a017
	Issue introduced in 6.3 with commit 6f4833383e8514ea796d094e05c24889b8997fde and fixed in 6.10 with commit ffbe335b8d471f79b259e950cb20999700670456

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40923
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/vmxnet3/vmxnet3_drv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5
	https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017
	https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456