CVE-2022-48941

{"id": "CVE-2022-48941", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-08-22T04:15:17.967", "references": [{"url": "https://git.kernel.org/stable/c/05ae1f0fe9c6c5ead08b306e665763a352d20716", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a3e61de89bab6696aa28b70030eb119968c5586", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c805fce07c9dbc47d8a9129c7c5458025951957", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fadead80fe4c033b5e514fcbadd20b55c4494112", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix concurrent reset and removal of VFs\n\nCommit c503e63200c6 (\"ice: Stop processing VF messages during teardown\")\nintroduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is\nintended to prevent some issues with concurrently handling messages from\nVFs while tearing down the VFs.\n\nThis change was motivated by crashes caused while tearing down and\nbringing up VFs in rapid succession.\n\nIt turns out that the fix actually introduces issues with the VF driver\ncaused because the PF no longer responds to any messages sent by the VF\nduring its .remove routine. This results in the VF potentially removing\nits DMA memory before the PF has shut down the device queues.\n\nAdditionally, the fix doesn't actually resolve concurrency issues within\nthe ice driver. It is possible for a VF to initiate a reset just prior\nto the ice driver removing VFs. This can result in the remove task\nconcurrently operating while the VF is being reset. This results in\nsimilar memory corruption and panics purportedly fixed by that commit.\n\nFix this concurrency at its root by protecting both the reset and\nremoval flows using the existing VF cfg_lock. This ensures that we\ncannot remove the VF while any outstanding critical tasks such as a\nvirtchnl message or a reset are occurring.\n\nThis locking change also fixes the root cause originally fixed by commit\nc503e63200c6 (\"ice: Stop processing VF messages during teardown\"), so we\ncan simply revert it.\n\nNote that I kept these two changes together because simply reverting the\noriginal commit alone would leave the driver vulnerable to worse race\nconditions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: corrige el restablecimiento y la eliminaci\u00f3n simult\u00e1neos de VF. El commit c503e63200c6 (\"ice: deja de procesar mensajes VF durante el desmontaje\") introdujo un indicador de estado del controlador, ICE_VF_DEINIT_IN_PROGRESS, cuyo objetivo es evitar algunos problemas con el manejo simult\u00e1neo de mensajes de VF mientras se derriban los VF. Este cambio fue motivado por accidentes causados al derribar y levantar VF en r\u00e1pida sucesi\u00f3n. Resulta que la soluci\u00f3n en realidad introduce problemas con el controlador VF causados porque el PF ya no responde a ning\u00fan mensaje enviado por el VF durante su rutina .remove. Esto da como resultado que el VF elimine potencialmente su memoria DMA antes de que el PF haya cerrado las colas de dispositivos. Adem\u00e1s, la soluci\u00f3n en realidad no resuelve los problemas de concurrencia dentro del controlador Ice. Es posible que un VF inicie un reinicio justo antes de que el conductor de hielo elimine los VF. Esto puede provocar que la tarea de eliminaci\u00f3n funcione simult\u00e1neamente mientras se restablece el VF. Esto da como resultado una corrupci\u00f3n de memoria similar y p\u00e1nicos supuestamente solucionados por esa confirmaci\u00f3n. Corrija esta simultaneidad desde la ra\u00edz protegiendo los flujos de reinicio y eliminaci\u00f3n utilizando el VF cfg_lock existente. Esto garantiza que no podamos eliminar el VF mientras se est\u00e9n realizando tareas cr\u00edticas pendientes, como un mensaje virtchnl o un reinicio. Este cambio de bloqueo tambi\u00e9n soluciona la causa ra\u00edz solucionada originalmente mediante el commit c503e63200c6 (\"ice: Detener el procesamiento de mensajes VF durante el desmontaje\"), por lo que simplemente podemos revertirlo. Tenga en cuenta que mantuve estos dos cambios juntos porque simplemente revertir el compromiso original dejar\u00eda al conductor vulnerable a peores condiciones de ejecuci\u00f3n."}], "lastModified": "2024-08-22T18:41:37.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11A056EC-CCC4-4F9D-8466-75C8592015D0", "versionEndExcluding": "5.10.104"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AB342AE-A62E-4947-A6EA-511453062B2B", "versionEndExcluding": "5.15.26", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C76BAB21-7F23-4AD8-A25F-CA7B262A2698", "versionEndExcluding": "5.16.12", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}