CVE-2024-40923

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40923
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40923.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-40923
Related
Published
2024-07-12T13:15:15Z
Modified
2024-09-18T03:26:30.368550Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

vmxnet3: disable rx data ring on dma allocation failure

When vmxnet3rqcreate() fails to allocate memory for rq->dataring.base, the subsequent call to vmxnet3rqdestroyallrxdataring does not reset rq->dataring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception.

To fix this bug, rq->dataring.descsize needs to be set to 0 to tell the hypervisor to disable this feature.

[ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skbpanic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? _diebody.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? dotrap+0xca/0x110 [ 95.463973] ? doerrortrap+0x6a/0x90 [ 95.464966] ? skbpanic+0x4d/0x4f [ 95.465901] ? excinvalidop+0x50/0x70 [ 95.466849] ? skbpanic+0x4d/0x4f [ 95.467718] ? asmexcinvalidop+0x1a/0x20 [ 95.468758] ? skbpanic+0x4d/0x4f [ 95.469655] skbput.cold+0x10/0x10 [ 95.470573] vmxnet3rqrxcomplete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3pollrxonly+0x36/0xb0 [vmxnet3] [ 95.473185] _napipoll+0x2b/0x160 [ 95.474145] netrxaction+0x2c6/0x3b0 [ 95.475115] handlesoftirqs+0xe7/0x2a0 [ 95.476122] _irqexitrcu+0x97/0xb0 [ 95.477109] commoninterrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asmcommoninterrupt+0x26/0x40 [ 95.480657] RIP: 0010:pvnativesafehalt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpisafehalt+0x14/0x20 [ 95.496127] acpiidledoentry+0x2f/0x50 [ 95.497221] acpiidleenter+0x7f/0xd0 [ 95.498272] cpuidleenterstate+0x81/0x420 [ 95.499375] cpuidleenter+0x2d/0x40 [ 95.500400] doidle+0x1e5/0x240 [ 95.501385] cpustartupentry+0x29/0x30 [ 95.502422] startsecondary+0x11c/0x140 [ 95.503454] commonstartup64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragip ---truncated---

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.9.7-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}