CVE-2024-46766

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46766
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46766.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46766
Downstream
Related
Published
2024-09-18T07:12:25Z
Modified
2025-10-15T14:46:16.535955Z
Summary
ice: move netif_queue_set_napi to rtnl-protected sections
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: move netifqueueset_napi to rtnl-protected sections

Currently, netifqueuesetnapi() is called from icevsirebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnllock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point.

Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked.

Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below.

[ +0.000004] BUG: KASAN: slab-out-of-bounds in netifqueuesetnapi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] <TASK> [ +0.000002] dumpstacklvl+0x60/0x80 [ +0.000007] printreport+0xce/0x630 [ +0.000007] ? pfxrawspinlockirqsave+0x10/0x10 [ +0.000007] ? virtaddrvalid+0x1c9/0x2c0 [ +0.000005] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000003] kasanreport+0xe9/0x120 [ +0.000004] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000004] netifqueuesetnapi+0x1c2/0x1e0 [ +0.000005] icevsiclose+0x161/0x670 [ice] [ +0.000114] icedisvsi+0x22f/0x270 [ice] [ +0.000095] icepfdisallvsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] iceprepareforreset+0x299/0x750 [ice] [ +0.000087] pcidevsaveanddisable+0x82/0xd0 [ +0.000006] pciresetfunction+0x12d/0x230 [ +0.000004] resetstore+0xa0/0x100 [ +0.000006] ? _pfxresetstore+0x10/0x10 [ +0.000002] ? _pfxmutexlock+0x10/0x10 [ +0.000004] ? _checkobjectsize+0x4c1/0x640 [ +0.000007] kernfsfopwriteiter+0x30b/0x4a0 [ +0.000006] vfswrite+0x5d6/0xdf0 [ +0.000005] ? fdinstall+0x180/0x350 [ +0.000005] ? _pfxvfswrite+0x10/0xA10 [ +0.000004] ? dofcntl+0x52c/0xcd0 [ +0.000004] ? kasansavetrack+0x13/0x60 [ +0.000003] ? kasansavefreeinfo+0x37/0x60 [ +0.000006] ksyswrite+0xfa/0x1d0 [ +0.000003] ? _pfxksyswrite+0x10/0x10 [ +0.000002] ? _x64sysfcntl+0x121/0x180 [ +0.000004] ? _rawspinlock+0x87/0xe0 [ +0.000005] dosyscall64+0x80/0x170 [ +0.000007] ? _rawspinlock+0x87/0xe0 [ +0.000004] ? _pfxrawspinlock+0x10/0x10 [ +0.000003] ? fileclosefdlocked+0x167/0x230 [ +0.000005] ? syscallexittousermode+0x7d/0x220 [ +0.000005] ? dosyscall64+0x8c/0x170 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? dosyscall64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filpclose+0x19/0x30 [ +0.000004] ? dodup2+0x25a/0x4c0 [ +0.000004] ? _x64sysdup2+0x6e/0x2e0 [ +0.000002] ? syscallexittousermode+0x7d/0x220 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? _countmemcgevents+0x113/0x380 [ +0.000005] ? handlemmfault+0x136/0x820 [ +0.000005] ? douseraddrfault+0x444/0xa80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000002] entrySYSCALL64afterhwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
91fdbce7e8d69be255b45bfeb52092629a50e267
Fixed
2285c2faef19ee08a6bd6754f4c3ec07dceb2889
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
91fdbce7e8d69be255b45bfeb52092629a50e267
Fixed
2a5dc090b92cfa5270e20056074241c6db5c9cdd

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.7
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific 

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "ice_vsi_cfg_def"
            },
            "id": "CVE-2024-46766-02515897",
            "digest": {
                "length": 2231.0,
                "function_hash": "143133749263936411671885447685612023723"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_base.c"
            },
            "id": "CVE-2024-46766-16d5c53f",
            "digest": {
                "line_hashes": [
                    "40081167132931600695369874108286280318",
                    "284004648285924285131386065290952839895",
                    "160184631378597350506089595322818912137",
                    "269642129275799075617977484685636238118",
                    "52884368192438504206885920885072990748",
                    "137611390503038325109249839192654599386",
                    "267876385851628703797770874424216578879",
                    "248657531361709759704598886001854129142",
                    "3581989523257292174535769807218455609",
                    "183975359773798519096289349141781222056",
                    "78572008375626889430036743797249265792",
                    "243047050533542780803738475455422917678",
                    "329249632476658065226405079272224028070"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "ice_q_vector_set_napi_queues"
            },
            "id": "CVE-2024-46766-1a57ae0a",
            "digest": {
                "length": 375.0,
                "function_hash": "184183398178535321636033217201843176294"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "__ice_queue_set_napi"
            },
            "id": "CVE-2024-46766-36da8bdc",
            "digest": {
                "length": 215.0,
                "function_hash": "320900097312320450534005136768186124095"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_napi_add"
            },
            "id": "CVE-2024-46766-42ba7ce1",
            "digest": {
                "length": 267.0,
                "function_hash": "58812971215616038618717472178315132361"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.h"
            },
            "id": "CVE-2024-46766-612ac392",
            "digest": {
                "line_hashes": [
                    "212394165279610607192048032892570546578",
                    "318260554814864045512040892223363677004",
                    "320443593104994513844441801935270619755",
                    "325255552223835102649041745570195557501",
                    "200434531889590773481961640203641353486",
                    "17647477312295374967599862285033356048",
                    "275185054693306461993009818635164463243",
                    "243210163285989036998160025094430183248",
                    "52884238965821159573173380648211341173"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "ice_vsi_close"
            },
            "id": "CVE-2024-46766-69110e7b",
            "digest": {
                "length": 172.0,
                "function_hash": "202558105368210846787217111107716701289"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c"
            },
            "id": "CVE-2024-46766-760cf328",
            "digest": {
                "line_hashes": [
                    "276988939654167480135130613580281772443",
                    "73881207411778033604160922110717536829",
                    "162282312755709662644857264563066641630",
                    "231414297222575017875387395696094532358",
                    "245862747996545028539417293772586756671",
                    "214123709255526253009872108479191208037",
                    "304038109181434609458223820206395710014",
                    "209094730323412886829485312194031204342",
                    "148358866283616362295248968533305048847",
                    "239304981200914583922829689822399260373",
                    "53336564366026496510246628258082547758",
                    "111839406481296189311398551693454551583",
                    "314904989323020082039067332466067449242",
                    "85371948706446320785444375108158865118",
                    "281514499292553415712675664514273345300",
                    "87995488373150512973768309247009798786",
                    "144357374003701701635035258356222378182",
                    "56099047838197488406890110712054127853",
                    "88397044405901026211818337466700847962",
                    "57662643813705333745325626559025839122",
                    "3239898491335445652692535180886192838",
                    "58626358811931475938125538919067675356",
                    "222749829478524193841440885630364648682",
                    "226146793464841726316379988425895985406",
                    "25505258726896936326030455056500538509",
                    "288226783484052059368233906831501216575",
                    "192877890827212901404596373812802546657",
                    "233332724389985909749637682709937224870",
                    "30275913501423607209788746876726491164",
                    "209230302765459400647319666934346951537",
                    "45058134952813221259732766081969424150",
                    "119518186921553628671490748823947105890",
                    "182473873939526216164471994099588451470",
                    "226088058410784723671990813897290386310",
                    "228981625370112443974552354731760093975",
                    "295538289869696545816599730880273773644",
                    "225711382943694739140858774339966488116",
                    "281248620963616971277590627528522770042",
                    "281700691833613837822050092070215339789",
                    "77533936832838198567682199169644097395",
                    "176086871994080440376176166294342840434",
                    "79434532668835216336201875780511736997",
                    "41871676195704040169213653974627509823",
                    "194469134291946804233315223163699895950",
                    "46162803598225385132678782186460590969",
                    "125873611746730060681101229027528094374",
                    "214256830822463560779746631046405419049",
                    "81525637608861529032031955273488667652",
                    "198509594624072916311248499007809320610",
                    "51324668536465603218742507090006472469",
                    "259552672159623230713712299040842481040",
                    "247804152587850175084322786537987723287",
                    "68907995377036455931923293150372219075",
                    "77533936832838198567682199169644097395",
                    "8647974405323936087404910799979957605",
                    "49623134714198562144643899921667954532",
                    "170200716367847487664095611387111973049",
                    "158702986094723896962303319336872226855",
                    "274904134493835217073453195814865062584",
                    "281234523235031415837145496401186789258",
                    "32410766375554419364318442867688411135",
                    "51537152934424335336878974041577274223",
                    "98879803562437223138025906245958269570",
                    "212123656991700191780576521806750418628",
                    "187379710757590149293872452868192770026",
                    "101496863648407739072333629660004252808",
                    "42528787719041935226161361804862986799",
                    "32126205682064594559764637896669192886",
                    "17286770282495717538586263820627656628",
                    "39397404418714149915200825488550860732",
                    "67313493235685665128718216640769841969"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_base.c",
                "function": "ice_free_q_vector"
            },
            "id": "CVE-2024-46766-9573df6e",
            "digest": {
                "length": 899.0,
                "function_hash": "24751335779553411216826082933539617498"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "__ice_q_vector_set_napi_queues"
            },
            "id": "CVE-2024-46766-a29a7212",
            "digest": {
                "length": 425.0,
                "function_hash": "161934686070535074159115695326584445302"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c"
            },
            "id": "CVE-2024-46766-b5dad6ee",
            "digest": {
                "line_hashes": [
                    "37565011127462344592088165779811276787",
                    "246085112629559288331079762897445985482",
                    "153344814487314694665347323472322413750",
                    "157476096784174332363337501585582657194",
                    "50491739010536506411782314989881484489",
                    "252743445626650714740777350757604014318",
                    "85954989140248340920243794628788293710",
                    "200011405145774377443722062365299307577",
                    "280990496198874983693563956897191930058",
                    "33433049631773708007488067728178314609",
                    "138049851068012317536639749541467507362",
                    "117311994311681878979573300344478586720",
                    "273137843244147109186372203957509946123",
                    "192145580002338062546504489493798711975",
                    "201011836187571048354273624900786925880",
                    "114761739299549124622347140359722892604",
                    "290941611967592015705987736610313505887",
                    "300942752791213726864121924152583172557",
                    "94116367955369224120868208290921502412",
                    "63373298476886209128568682514452894591",
                    "167306122140922854109626635300938529656",
                    "330214313622031199694042692740298177642",
                    "251969667211275426304353592529750985965",
                    "175938702731450233935860201022738694432",
                    "210704304405187885647758711621689378192",
                    "60239393927370891560095579625054061271"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "ice_queue_set_napi"
            },
            "id": "CVE-2024-46766-c54fdbba",
            "digest": {
                "length": 464.0,
                "function_hash": "95101363179283932767959375707478322139"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_suspend"
            },
            "id": "CVE-2024-46766-cdcd37c4",
            "digest": {
                "length": 885.0,
                "function_hash": "91758882038374026121993175475733386445"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_vsi_open"
            },
            "id": "CVE-2024-46766-dd9cf287",
            "digest": {
                "length": 948.0,
                "function_hash": "148564528932859312978174544000344249468"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_main.c",
                "function": "ice_reinit_interrupt_scheme"
            },
            "id": "CVE-2024-46766-f96bcb21",
            "digest": {
                "length": 703.0,
                "function_hash": "193893034154467047118803642207971057916"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_lib.c",
                "function": "ice_vsi_set_napi_queues"
            },
            "id": "CVE-2024-46766-f9c91ae8",
            "digest": {
                "length": 162.0,
                "function_hash": "11216937744348614501180778936120326554"
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a5dc090b92cfa5270e20056074241c6db5c9cdd"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.10.10