CVE-2024-50042

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-50042

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50042.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-50042

Related

Published

2024-10-21T20:15:17Z

Modified

2024-10-23T16:50:17.059562Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix increasing MSI-X on VF

Increasing MSI-X value on a VF leads to invalid memory operations. This is caused by not reallocating some arrays.

Reproducer: modprobe ice echo 0 > /sys/bus/pci/devices/$PFPCI/sriovdriversautoprobe echo 1 > /sys/bus/pci/devices/$PFPCI/sriovnumvfs echo 17 > /sys/bus/pci/devices/$VF0PCI/sriovvfmsix_count

Default MSI-X is 16, so 17 and above triggers this issue.

KASAN reports:

BUG: KASAN: slab-out-of-bounds in icevsiallocringstats+0x38d/0x4b0 [ice] Read of size 8 at addr ffff8888b937d180 by task bash/28433 (...)

Call Trace: (...) ? icevsiallocringstats+0x38d/0x4b0 [ice] kasanreport+0xed/0x120 ? icevsiallocringstats+0x38d/0x4b0 [ice] icevsiallocringstats+0x38d/0x4b0 [ice] icevsicfgdef+0x3360/0x4770 [ice] ? mutexunlock+0x83/0xd0 ? _pfxicevsicfgdef+0x10/0x10 [ice] ? _pfxiceremovevsilkupfltr+0x10/0x10 [ice] icevsicfg+0x7f/0x3b0 [ice] icevfreconfigvsi+0x114/0x210 [ice] icesriovsetmsixveccount+0x3d0/0x960 [ice] sriovvfmsixcountstore+0x21c/0x300 (...)

Allocated by task 28201: (...) icevsicfgdef+0x1c8e/0x4770 [ice] icevsicfg+0x7f/0x3b0 [ice] icevsisetup+0x179/0xa30 [ice] icesriovconfigure+0xcaa/0x1520 [ice] sriovnumvfs_store+0x212/0x390 (...)

To fix it, use icevsirebuild() instead of icevfreconfigvsi(). This causes the required arrays to be reallocated taking the new queue count into account (icevsireallocstatarrays()). Set reqtxq and reqrxq before icevsi_rebuild(), so that realloc uses the newly set queue count.

Additionally, icevsirebuild() does not remove VSI filters (icefltrremoveall()), so icevfinithost_cfg() is no longer necessary.

References

Affected packages

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.11.4-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

6.5.6-1

6.5.8-1

6.5.10-1~bpo12+1

6.5.10-1

6.5.13-1

6.6.3-1~exp1

6.6.4-1~exp1

6.6.7-1~exp1

6.6.8-1

6.6.9-1

6.6.11-1

6.6.13-1~bpo12+1

6.6.13-1

6.6.15-1

6.6.15-2

6.7-1~exp1

6.7.1-1~exp1

6.7.4-1~exp1

6.7.7-1

6.7.9-1

6.7.9-2

6.7.12-1~bpo12+1

6.7.12-1

6.8.9-1

6.8.11-1

6.8.12-1~bpo12+1

6.8.12-1

6.9.2-1~exp1

6.9.7-1~bpo12+1

6.9.7-1

6.9.8-1

6.9.9-1

6.9.10-1~bpo12+1

6.9.10-1

6.9.11-1

6.9.12-1

6.10-1~exp1

6.10.1-1~exp1

6.10.3-1

6.10.4-1

6.10.6-1~bpo12+1

6.10.6-1

6.10.7-1

6.10.9-1

6.10.11-1~bpo12+1

6.10.11-1

6.10.12-1

6.11~rc4-1~exp1

6.11~rc5-1~exp1

6.11-1~exp1

6.11.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}