cve/published/2024/CVE-2024-50042.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50042: ice: Fix increasing MSI-X on VF

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ice: Fix increasing MSI-X on VF

 Increasing MSI-X value on a VF leads to invalid memory operations. This
 is caused by not reallocating some arrays.

 Reproducer:
   modprobe ice
   echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe
   echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs
   echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count

 Default MSI-X is 16, so 17 and above triggers this issue.

 KASAN reports:

   BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
   Read of size 8 at addr ffff8888b937d180 by task bash/28433
   (...)

   Call Trace:
    (...)
    ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
    kasan_report+0xed/0x120
    ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
    ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
    ice_vsi_cfg_def+0x3360/0x4770 [ice]
    ? mutex_unlock+0x83/0xd0
    ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]
    ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]
    ice_vsi_cfg+0x7f/0x3b0 [ice]
    ice_vf_reconfig_vsi+0x114/0x210 [ice]
    ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]
    sriov_vf_msix_count_store+0x21c/0x300
    (...)

   Allocated by task 28201:
    (...)
    ice_vsi_cfg_def+0x1c8e/0x4770 [ice]
    ice_vsi_cfg+0x7f/0x3b0 [ice]
    ice_vsi_setup+0x179/0xa30 [ice]
    ice_sriov_configure+0xcaa/0x1520 [ice]
    sriov_numvfs_store+0x212/0x390
    (...)

 To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This
 causes the required arrays to be reallocated taking the new queue count
 into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq
 before ice_vsi_rebuild(), so that realloc uses the newly set queue
 count.

 Additionally, ice_vsi_rebuild() does not remove VSI filters
 (ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer
 necessary.

 The Linux kernel CVE team has assigned CVE-2024-50042 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef and fixed in 6.11.4 with commit cbda6197929418fabf0e45ecf9b7a76360944c70
 	Issue introduced in 6.8 with commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef and fixed in 6.12 with commit bce9af1b030bf59d51bbabf909a3ef164787e44e
 	Issue introduced in 6.7.10 with commit 8910b1cef190545085e9bb486f35dd30ad928a05

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50042
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ice/ice_sriov.c
 	drivers/net/ethernet/intel/ice/ice_vf_lib.c
 	drivers/net/ethernet/intel/ice/ice_vf_lib_private.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70
 	https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50042: ice: Fix increasing MSI-X on VF

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ice: Fix increasing MSI-X on VF

	Increasing MSI-X value on a VF leads to invalid memory operations. This
	is caused by not reallocating some arrays.

	Reproducer:
	modprobe ice
	echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe
	echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs
	echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count

	Default MSI-X is 16, so 17 and above triggers this issue.

	KASAN reports:

	BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
	Read of size 8 at addr ffff8888b937d180 by task bash/28433
	(...)

	Call Trace:
	(...)
	? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
	kasan_report+0xed/0x120
	? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
	ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
	ice_vsi_cfg_def+0x3360/0x4770 [ice]
	? mutex_unlock+0x83/0xd0
	? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]
	? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]
	ice_vsi_cfg+0x7f/0x3b0 [ice]
	ice_vf_reconfig_vsi+0x114/0x210 [ice]
	ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]
	sriov_vf_msix_count_store+0x21c/0x300
	(...)

	Allocated by task 28201:
	(...)
	ice_vsi_cfg_def+0x1c8e/0x4770 [ice]
	ice_vsi_cfg+0x7f/0x3b0 [ice]
	ice_vsi_setup+0x179/0xa30 [ice]
	ice_sriov_configure+0xcaa/0x1520 [ice]
	sriov_numvfs_store+0x212/0x390
	(...)

	To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This
	causes the required arrays to be reallocated taking the new queue count
	into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq
	before ice_vsi_rebuild(), so that realloc uses the newly set queue
	count.

	Additionally, ice_vsi_rebuild() does not remove VSI filters
	(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer
	necessary.

	The Linux kernel CVE team has assigned CVE-2024-50042 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef and fixed in 6.11.4 with commit cbda6197929418fabf0e45ecf9b7a76360944c70
	Issue introduced in 6.8 with commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef and fixed in 6.12 with commit bce9af1b030bf59d51bbabf909a3ef164787e44e
	Issue introduced in 6.7.10 with commit 8910b1cef190545085e9bb486f35dd30ad928a05

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50042
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ice/ice_sriov.c
	drivers/net/ethernet/intel/ice/ice_vf_lib.c
	drivers/net/ethernet/intel/ice/ice_vf_lib_private.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70
	https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e