cve/published/2024/CVE-2024-45030.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-45030: igb: cope with large MAX_SKB_FRAGS

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 igb: cope with large MAX_SKB_FRAGS

 Sabrina reports that the igb driver does not cope well with large
 MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload
 corruption on TX.

 An easy reproducer is to run ssh to connect to the machine.  With
 MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails.  This has
 been reported originally in
 https://bugzilla.redhat.com/show_bug.cgi?id=2265320

 The root cause of the issue is that the driver does not take into
 account properly the (possibly large) shared info size when selecting
 the ring layout, and will try to fit two packets inside the same 4K
 page even when the 1st fraglist will trump over the 2nd head.

 Address the issue by checking if 2K buffers are insufficient.

 The Linux kernel CVE team has assigned CVE-2024-45030 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.6.48 with commit 8ea80ff5d8298356d28077bc30913ed37df65109
 	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.10.7 with commit b52bd8bcb9e8ff250c79b44f9af8b15cae8911ab
 	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.11 with commit 8aba27c4a5020abdf60149239198297f88338a8d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-45030
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/igb/igb_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8ea80ff5d8298356d28077bc30913ed37df65109
 	https://git.kernel.org/stable/c/b52bd8bcb9e8ff250c79b44f9af8b15cae8911ab
 	https://git.kernel.org/stable/c/8aba27c4a5020abdf60149239198297f88338a8d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-45030: igb: cope with large MAX_SKB_FRAGS

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	igb: cope with large MAX_SKB_FRAGS

	Sabrina reports that the igb driver does not cope well with large
	MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload
	corruption on TX.

	An easy reproducer is to run ssh to connect to the machine. With
	MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has
	been reported originally in
	https://bugzilla.redhat.com/show_bug.cgi?id=2265320

	The root cause of the issue is that the driver does not take into
	account properly the (possibly large) shared info size when selecting
	the ring layout, and will try to fit two packets inside the same 4K
	page even when the 1st fraglist will trump over the 2nd head.

	Address the issue by checking if 2K buffers are insufficient.

	The Linux kernel CVE team has assigned CVE-2024-45030 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.6.48 with commit 8ea80ff5d8298356d28077bc30913ed37df65109
	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.10.7 with commit b52bd8bcb9e8ff250c79b44f9af8b15cae8911ab
	Issue introduced in 6.4 with commit 3948b05950fdd64002a5f182c65ba5cf2d53cf71 and fixed in 6.11 with commit 8aba27c4a5020abdf60149239198297f88338a8d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-45030
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/igb/igb_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8ea80ff5d8298356d28077bc30913ed37df65109
	https://git.kernel.org/stable/c/b52bd8bcb9e8ff250c79b44f9af8b15cae8911ab
	https://git.kernel.org/stable/c/8aba27c4a5020abdf60149239198297f88338a8d