In the Linux kernel, the following vulnerability has been resolved:
ice: move netifqueueset_napi to rtnl-protected sections
Currently, netifqueuesetnapi() is called from icevsirebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnllock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point.
Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked.
Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below.
[ +0.000004] BUG: KASAN: slab-out-of-bounds in netifqueuesetnapi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] <TASK> [ +0.000002] dumpstacklvl+0x60/0x80 [ +0.000007] printreport+0xce/0x630 [ +0.000007] ? pfxrawspinlockirqsave+0x10/0x10 [ +0.000007] ? virtaddrvalid+0x1c9/0x2c0 [ +0.000005] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000003] kasanreport+0xe9/0x120 [ +0.000004] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000004] netifqueuesetnapi+0x1c2/0x1e0 [ +0.000005] icevsiclose+0x161/0x670 [ice] [ +0.000114] icedisvsi+0x22f/0x270 [ice] [ +0.000095] icepfdisallvsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] iceprepareforreset+0x299/0x750 [ice] [ +0.000087] pcidevsaveanddisable+0x82/0xd0 [ +0.000006] pciresetfunction+0x12d/0x230 [ +0.000004] resetstore+0xa0/0x100 [ +0.000006] ? _pfxresetstore+0x10/0x10 [ +0.000002] ? _pfxmutexlock+0x10/0x10 [ +0.000004] ? _checkobjectsize+0x4c1/0x640 [ +0.000007] kernfsfopwriteiter+0x30b/0x4a0 [ +0.000006] vfswrite+0x5d6/0xdf0 [ +0.000005] ? fdinstall+0x180/0x350 [ +0.000005] ? _pfxvfswrite+0x10/0xA10 [ +0.000004] ? dofcntl+0x52c/0xcd0 [ +0.000004] ? kasansavetrack+0x13/0x60 [ +0.000003] ? kasansavefreeinfo+0x37/0x60 [ +0.000006] ksyswrite+0xfa/0x1d0 [ +0.000003] ? _pfxksyswrite+0x10/0x10 [ +0.000002] ? _x64sysfcntl+0x121/0x180 [ +0.000004] ? _rawspinlock+0x87/0xe0 [ +0.000005] dosyscall64+0x80/0x170 [ +0.000007] ? _rawspinlock+0x87/0xe0 [ +0.000004] ? _pfxrawspinlock+0x10/0x10 [ +0.000003] ? fileclosefdlocked+0x167/0x230 [ +0.000005] ? syscallexittousermode+0x7d/0x220 [ +0.000005] ? dosyscall64+0x8c/0x170 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? dosyscall64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filpclose+0x19/0x30 [ +0.000004] ? dodup2+0x25a/0x4c0 [ +0.000004] ? _x64sysdup2+0x6e/0x2e0 [ +0.000002] ? syscallexittousermode+0x7d/0x220 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? _countmemcgevents+0x113/0x380 [ +0.000005] ? handlemmfault+0x136/0x820 [ +0.000005] ? douseraddrfault+0x444/0xa80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000002] entrySYSCALL64afterhwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "ice_vsi_cfg_def" }, "id": "CVE-2024-46766-02515897", "digest": { "length": 2231.0, "function_hash": "143133749263936411671885447685612023723" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/intel/ice/ice_base.c" }, "id": "CVE-2024-46766-16d5c53f", "digest": { "line_hashes": [ "40081167132931600695369874108286280318", "284004648285924285131386065290952839895", "160184631378597350506089595322818912137", "269642129275799075617977484685636238118", "52884368192438504206885920885072990748", "137611390503038325109249839192654599386", "267876385851628703797770874424216578879", "248657531361709759704598886001854129142", "3581989523257292174535769807218455609", "183975359773798519096289349141781222056", "78572008375626889430036743797249265792", "243047050533542780803738475455422917678", "329249632476658065226405079272224028070" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "ice_q_vector_set_napi_queues" }, "id": "CVE-2024-46766-1a57ae0a", "digest": { "length": 375.0, "function_hash": "184183398178535321636033217201843176294" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "__ice_queue_set_napi" }, "id": "CVE-2024-46766-36da8bdc", "digest": { "length": 215.0, "function_hash": "320900097312320450534005136768186124095" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_main.c", "function": "ice_napi_add" }, "id": "CVE-2024-46766-42ba7ce1", "digest": { "length": 267.0, "function_hash": "58812971215616038618717472178315132361" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.h" }, "id": "CVE-2024-46766-612ac392", "digest": { "line_hashes": [ "212394165279610607192048032892570546578", "318260554814864045512040892223363677004", "320443593104994513844441801935270619755", "325255552223835102649041745570195557501", "200434531889590773481961640203641353486", "17647477312295374967599862285033356048", "275185054693306461993009818635164463243", "243210163285989036998160025094430183248", "52884238965821159573173380648211341173" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "ice_vsi_close" }, "id": "CVE-2024-46766-69110e7b", "digest": { "length": 172.0, "function_hash": "202558105368210846787217111107716701289" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c" }, "id": "CVE-2024-46766-760cf328", "digest": { "line_hashes": [ "276988939654167480135130613580281772443", "73881207411778033604160922110717536829", "162282312755709662644857264563066641630", "231414297222575017875387395696094532358", "245862747996545028539417293772586756671", "214123709255526253009872108479191208037", "304038109181434609458223820206395710014", "209094730323412886829485312194031204342", "148358866283616362295248968533305048847", "239304981200914583922829689822399260373", "53336564366026496510246628258082547758", "111839406481296189311398551693454551583", "314904989323020082039067332466067449242", "85371948706446320785444375108158865118", "281514499292553415712675664514273345300", "87995488373150512973768309247009798786", "144357374003701701635035258356222378182", "56099047838197488406890110712054127853", "88397044405901026211818337466700847962", "57662643813705333745325626559025839122", "3239898491335445652692535180886192838", "58626358811931475938125538919067675356", "222749829478524193841440885630364648682", "226146793464841726316379988425895985406", "25505258726896936326030455056500538509", "288226783484052059368233906831501216575", "192877890827212901404596373812802546657", "233332724389985909749637682709937224870", "30275913501423607209788746876726491164", "209230302765459400647319666934346951537", "45058134952813221259732766081969424150", "119518186921553628671490748823947105890", "182473873939526216164471994099588451470", "226088058410784723671990813897290386310", "228981625370112443974552354731760093975", "295538289869696545816599730880273773644", "225711382943694739140858774339966488116", "281248620963616971277590627528522770042", "281700691833613837822050092070215339789", "77533936832838198567682199169644097395", "176086871994080440376176166294342840434", "79434532668835216336201875780511736997", "41871676195704040169213653974627509823", "194469134291946804233315223163699895950", "46162803598225385132678782186460590969", "125873611746730060681101229027528094374", "214256830822463560779746631046405419049", "81525637608861529032031955273488667652", "198509594624072916311248499007809320610", "51324668536465603218742507090006472469", "259552672159623230713712299040842481040", "247804152587850175084322786537987723287", "68907995377036455931923293150372219075", "77533936832838198567682199169644097395", "8647974405323936087404910799979957605", "49623134714198562144643899921667954532", "170200716367847487664095611387111973049", "158702986094723896962303319336872226855", "274904134493835217073453195814865062584", "281234523235031415837145496401186789258", "32410766375554419364318442867688411135", "51537152934424335336878974041577274223", "98879803562437223138025906245958269570", "212123656991700191780576521806750418628", "187379710757590149293872452868192770026", "101496863648407739072333629660004252808", "42528787719041935226161361804862986799", "32126205682064594559764637896669192886", "17286770282495717538586263820627656628", "39397404418714149915200825488550860732", "67313493235685665128718216640769841969" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_base.c", "function": "ice_free_q_vector" }, "id": "CVE-2024-46766-9573df6e", "digest": { "length": 899.0, "function_hash": "24751335779553411216826082933539617498" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "__ice_q_vector_set_napi_queues" }, "id": "CVE-2024-46766-a29a7212", "digest": { "length": 425.0, "function_hash": "161934686070535074159115695326584445302" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/intel/ice/ice_main.c" }, "id": "CVE-2024-46766-b5dad6ee", "digest": { "line_hashes": [ "37565011127462344592088165779811276787", "246085112629559288331079762897445985482", "153344814487314694665347323472322413750", "157476096784174332363337501585582657194", "50491739010536506411782314989881484489", "252743445626650714740777350757604014318", "85954989140248340920243794628788293710", "200011405145774377443722062365299307577", "280990496198874983693563956897191930058", "33433049631773708007488067728178314609", "138049851068012317536639749541467507362", "117311994311681878979573300344478586720", "273137843244147109186372203957509946123", "192145580002338062546504489493798711975", "201011836187571048354273624900786925880", "114761739299549124622347140359722892604", "290941611967592015705987736610313505887", "300942752791213726864121924152583172557", "94116367955369224120868208290921502412", "63373298476886209128568682514452894591", "167306122140922854109626635300938529656", "330214313622031199694042692740298177642", "251969667211275426304353592529750985965", "175938702731450233935860201022738694432", "210704304405187885647758711621689378192", "60239393927370891560095579625054061271" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "ice_queue_set_napi" }, "id": "CVE-2024-46766-c54fdbba", "digest": { "length": 464.0, "function_hash": "95101363179283932767959375707478322139" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_main.c", "function": "ice_suspend" }, "id": "CVE-2024-46766-cdcd37c4", "digest": { "length": 885.0, "function_hash": "91758882038374026121993175475733386445" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_main.c", "function": "ice_vsi_open" }, "id": "CVE-2024-46766-dd9cf287", "digest": { "length": 948.0, "function_hash": "148564528932859312978174544000344249468" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_main.c", "function": "ice_reinit_interrupt_scheme" }, "id": "CVE-2024-46766-f96bcb21", "digest": { "length": 703.0, "function_hash": "193893034154467047118803642207971057916" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/intel/ice/ice_lib.c", "function": "ice_vsi_set_napi_queues" }, "id": "CVE-2024-46766-f9c91ae8", "digest": { "length": 162.0, "function_hash": "11216937744348614501180778936120326554" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd" } ] }