In the Linux kernel, the following vulnerability has been resolved:
liquidio: Adjust a NULL pointer handling path in liovfrepcopypacket
In liovfrepcopypacket() pginfo->page is compared to a NULL value, but then it is unconditionally passed to skbaddrxfrag() which looks strange and could lead to null pointer dereference.
liovfrepcopypacket() call trace looks like: octeondroqprocesspackets octeondroqfastprocesspackets octeondroqdispatchpkt octeoncreaterecvinfo ...search in the dispatchlist... ->dispfn(rdisp->rinfo, ...) liovfreppktrecv(struct octeonrecvinfo *recvinfo, ...) In this path there is no code which sets pginfo->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidiopushpacket() in liquidio/liocore.c does exactly the same.
Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skbaddrx_frag() into conditional scope.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
{ "vanir_signatures": [ { "id": "CVE-2024-39506-32d2d95e", "signature_type": "Line", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "91091370097675303065996701253559647641", "131985713201041564626172205719217263454", "107671095184809438463721548894203301351", "123817746149464125571702199885935964063", "307875374040347514605231500869100752584", "20957785146063401748753189748919617784", "277079906688686047596075414543105834410", "232538162196076413992793313553433757236", "306814731865000725748643470108525843164", "283984051824015054880224290050450100057" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2" }, { "id": "CVE-2024-39506-356f0392", "signature_type": "Function", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", "function": "lio_vf_rep_copy_packet" }, "signature_version": "v1", "digest": { "length": 693.0, "function_hash": "267152535115011324932994321529544859436" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c44711b78608c98a3e6b49ce91678cd0917d5349" }, { "id": "CVE-2024-39506-3edc7b53", "signature_type": "Line", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "91091370097675303065996701253559647641", "131985713201041564626172205719217263454", "107671095184809438463721548894203301351", "123817746149464125571702199885935964063", "307875374040347514605231500869100752584", "20957785146063401748753189748919617784", "277079906688686047596075414543105834410", "232538162196076413992793313553433757236", "306814731865000725748643470108525843164", "283984051824015054880224290050450100057" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcc7440f32c7a26b067aff6e7d931ec593024a79" }, { "id": "CVE-2024-39506-54b4fa9c", "signature_type": "Line", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "91091370097675303065996701253559647641", "131985713201041564626172205719217263454", "107671095184809438463721548894203301351", "123817746149464125571702199885935964063", "307875374040347514605231500869100752584", "20957785146063401748753189748919617784", "277079906688686047596075414543105834410", "232538162196076413992793313553433757236", "306814731865000725748643470108525843164", "283984051824015054880224290050450100057" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cbf18d8128a753cb632bef39470d19befd9c7347" }, { "id": "CVE-2024-39506-59a7da40", "signature_type": "Line", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "91091370097675303065996701253559647641", "131985713201041564626172205719217263454", "107671095184809438463721548894203301351", "123817746149464125571702199885935964063", "307875374040347514605231500869100752584", "20957785146063401748753189748919617784", "277079906688686047596075414543105834410", "232538162196076413992793313553433757236", "306814731865000725748643470108525843164", "283984051824015054880224290050450100057" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6f4d0ec170a46b5f453cacf55dff5989b42bbfa" }, { "id": "CVE-2024-39506-7791ab27", "signature_type": "Function", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", "function": "lio_vf_rep_copy_packet" }, "signature_version": "v1", "digest": { "length": 693.0, "function_hash": "267152535115011324932994321529544859436" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6f4d0ec170a46b5f453cacf55dff5989b42bbfa" }, { "id": "CVE-2024-39506-9a763259", "signature_type": "Function", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", "function": "lio_vf_rep_copy_packet" }, "signature_version": "v1", "digest": { "length": 693.0, "function_hash": "267152535115011324932994321529544859436" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcc7440f32c7a26b067aff6e7d931ec593024a79" }, { "id": "CVE-2024-39506-d18f747e", "signature_type": "Function", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", "function": "lio_vf_rep_copy_packet" }, "signature_version": "v1", "digest": { "length": 693.0, "function_hash": "267152535115011324932994321529544859436" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2" }, { "id": "CVE-2024-39506-d782a15f", "signature_type": "Function", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c", "function": "lio_vf_rep_copy_packet" }, "signature_version": "v1", "digest": { "length": 693.0, "function_hash": "267152535115011324932994321529544859436" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cbf18d8128a753cb632bef39470d19befd9c7347" }, { "id": "CVE-2024-39506-f85acd7a", "signature_type": "Line", "target": { "file": "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "91091370097675303065996701253559647641", "131985713201041564626172205719217263454", "107671095184809438463721548894203301351", "123817746149464125571702199885935964063", "307875374040347514605231500869100752584", "20957785146063401748753189748919617784", "277079906688686047596075414543105834410", "232538162196076413992793313553433757236", "306814731865000725748643470108525843164", "283984051824015054880224290050450100057" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c44711b78608c98a3e6b49ce91678cd0917d5349" } ] }