CVE-2022-48652

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48652
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48652.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48652
Related
Published
2024-04-28T13:15:07Z
Modified
2024-09-18T01:00:22Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix crash by keep old cfg when update TCs more than queues

There are problems if allocated queues less than Traffic Classes.

Commit a632b2a4c920 ("ice: ethtool: Prohibit improper channel config for DCB") already disallow setting less queues than TCs.

Another case is if we first set less queues, and later update more TCs config due to LLDP, icevsicfgtc() will failed but left dirty numtxq/rxq and tc_cfg in vsi, that will cause invalid pointer access.

[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated. [ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)! [ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0 [ 95.969621] general protection fault: 0000 [#1] SMP NOPTI [ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1 [ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021 [ 95.969992] RIP: 0010:devmkmalloc+0xa/0x60 [ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c [ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206 [ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0 [ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200 [ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000 [ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100 [ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460 [ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000 [ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0 [ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 95.971530] PKRU: 55555554 [ 95.971573] Call Trace: [ 95.971622] icesetuprxring+0x39/0x110 [ice] [ 95.971695] icevsisetuprxrings+0x54/0x90 [ice] [ 95.971774] icevsiopen+0x25/0x120 [ice] [ 95.971843] iceopeninternal+0xb8/0x1f0 [ice] [ 95.971919] iceenavsi+0x4f/0xd0 [ice] [ 95.971987] icedcbenadisvsi.constprop.5+0x29/0x90 [ice] [ 95.972082] icepfdcbcfg+0x29a/0x380 [ice] [ 95.972154] icedcbnlsetets+0x174/0x1b0 [ice] [ 95.972220] dcbnlieeeset+0x89/0x230 [ 95.972279] ? dcbnlieeedel+0x150/0x150 [ 95.972341] dcbdoit+0x124/0x1b0 [ 95.972392] rtnetlinkrcvmsg+0x243/0x2f0 [ 95.972457] ? dcbdoit+0x14d/0x1b0 [ 95.972510] ? kmallocnodetrackcaller+0x1d3/0x280 [ 95.972591] ? rtnlcalcit.isra.31+0x100/0x100 [ 95.972661] netlinkrcvskb+0xcf/0xf0 [ 95.972720] netlinkunicast+0x16d/0x220 [ 95.972781] netlinksendmsg+0x2ba/0x3a0 [ 95.975891] socksendmsg+0x4c/0x50 [ 95.979032] syssendmsg+0x2e4/0x300 [ 95.982147] ? kmemcachealloc+0x13e/0x190 [ 95.985242] ? _wakeupcommonlock+0x79/0x90 [ 95.988338] ? _checkobjectsize+0xac/0x1b0 [ 95.991440] ? _copytouser+0x22/0x30 [ 95.994539] ? moveaddrtouser+0xbb/0xd0 [ 95.997619] ? _syssendmsg+0x53/0x80 [ 96.000664] _syssendmsg+0x53/0x80 [ 96.003747] dosyscall64+0x5b/0x1d0 [ 96.006862] entrySYSCALL64afterhwframe+0x65/0xca

Only update numtxq/rxq when passed check, and restore tccfg if setup queue map failed.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}