cve/published/2024/CVE-2024-46770.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46770: ice: Add netif_device_attach/detach into PF reset flow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ice: Add netif_device_attach/detach into PF reset flow

 Ethtool callbacks can be executed while reset is in progress and try to
 access deleted resources, e.g. getting coalesce settings can result in a
 NULL pointer dereference seen below.

 Reproduction steps:
 Once the driver is fully initialized, trigger reset:
 	# echo 1 > /sys/class/net/<interface>/device/reset
 when reset is in progress try to get coalesce settings using ethtool:
 	# ethtool -c <interface>

 BUG: kernel NULL pointer dereference, address: 0000000000000020
 PGD 0 P4D 0
 Oops: Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 11 PID: 19713 Comm: ethtool Tainted: G S                 6.10.0-rc7+ #7
 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
 RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
 FS:  00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
 Call Trace:
 <TASK>
 ice_get_coalesce+0x17/0x30 [ice]
 coalesce_prepare_data+0x61/0x80
 ethnl_default_doit+0xde/0x340
 genl_family_rcv_msg_doit+0xf2/0x150
 genl_rcv_msg+0x1b3/0x2c0
 netlink_rcv_skb+0x5b/0x110
 genl_rcv+0x28/0x40
 netlink_unicast+0x19c/0x290
 netlink_sendmsg+0x222/0x490
 __sys_sendto+0x1df/0x1f0
 __x64_sys_sendto+0x24/0x30
 do_syscall_64+0x82/0x160
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7faee60d8e27

 Calling netif_device_detach() before reset makes the net core not call
 the driver when ethtool command is issued, the attempt to execute an
 ethtool command during reset will result in the following message:

     netlink error: No such device

 instead of NULL pointer dereference. Once reset is done and
 ice_rebuild() is executing, the netif_device_attach() is called to allow
 for ethtool operations to occur again in a safe manner.

 The Linux kernel CVE team has assigned CVE-2024-46770 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.1.110 with commit 9e3ffb839249eca113062587659224f856fe14e5
 	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.6.51 with commit efe8effe138044a4747d1112ebb8c454d1663723
 	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.10.10 with commit 36486c9e8e01b84faaee47203eac0b7e9cc7fa4a
 	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.11 with commit d11a67634227f9f9da51938af085fb41a733848f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46770
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ice/ice_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5
 	https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723
 	https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a
 	https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46770: ice: Add netif_device_attach/detach into PF reset flow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ice: Add netif_device_attach/detach into PF reset flow

	Ethtool callbacks can be executed while reset is in progress and try to
	access deleted resources, e.g. getting coalesce settings can result in a
	NULL pointer dereference seen below.

	Reproduction steps:
	Once the driver is fully initialized, trigger reset:
	# echo 1 > /sys/class/net/<interface>/device/reset
	when reset is in progress try to get coalesce settings using ethtool:
	# ethtool -c <interface>

	BUG: kernel NULL pointer dereference, address: 0000000000000020
	PGD 0 P4D 0
	Oops: Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7
	RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
	RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
	RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
	RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
	R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
	R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
	FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
	Call Trace:
	<TASK>
	ice_get_coalesce+0x17/0x30 [ice]
	coalesce_prepare_data+0x61/0x80
	ethnl_default_doit+0xde/0x340
	genl_family_rcv_msg_doit+0xf2/0x150
	genl_rcv_msg+0x1b3/0x2c0
	netlink_rcv_skb+0x5b/0x110
	genl_rcv+0x28/0x40
	netlink_unicast+0x19c/0x290
	netlink_sendmsg+0x222/0x490
	__sys_sendto+0x1df/0x1f0
	__x64_sys_sendto+0x24/0x30
	do_syscall_64+0x82/0x160
	entry_SYSCALL_64_after_hwframe+0x76/0x7e
	RIP: 0033:0x7faee60d8e27

	Calling netif_device_detach() before reset makes the net core not call
	the driver when ethtool command is issued, the attempt to execute an
	ethtool command during reset will result in the following message:

	netlink error: No such device

	instead of NULL pointer dereference. Once reset is done and
	ice_rebuild() is executing, the netif_device_attach() is called to allow
	for ethtool operations to occur again in a safe manner.

	The Linux kernel CVE team has assigned CVE-2024-46770 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.1.110 with commit 9e3ffb839249eca113062587659224f856fe14e5
	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.6.51 with commit efe8effe138044a4747d1112ebb8c454d1663723
	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.10.10 with commit 36486c9e8e01b84faaee47203eac0b7e9cc7fa4a
	Issue introduced in 4.17 with commit fcea6f3da546b93050f3534aadea7bd96c1d7349 and fixed in 6.11 with commit d11a67634227f9f9da51938af085fb41a733848f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46770
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ice/ice_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5
	https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723
	https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a
	https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f