CVE-2024-42083

In the Linux kernel, the following vulnerability has been resolved: ionic: fix kernel panic due to multi-buffer handling Currently, the ionic_run_xdp() doesn't handle multi-buffer packets properly for XDP_TX and XDP_REDIRECT. When a jumbo frame is received, the ionic_run_xdp() first makes xdp frame with all necessary pages in the rx descriptor. And if the action is either XDP_TX or XDP_REDIRECT, it should unmap dma-mapping and reset page pointer to NULL for all pages, not only the first page. But it doesn't for SG pages. So, SG pages unexpectedly will be reused. It eventually causes kernel panic. Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25 RIP: 0010:xdp_return_frame+0x42/0x90 Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0 RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202 RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001 RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49 RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000 R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010 R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0 FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? die_addr+0x33/0x90 ? exc_general_protection+0x251/0x2f0 ? asm_exc_general_protection+0x22/0x30 ? xdp_return_frame+0x42/0x90 ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] __napi_poll.constprop.0+0x29/0x1b0 net_rx_action+0x2c4/0x350 handle_softirqs+0xf4/0x320 irq_exit_rcu+0x78/0xa0 common_interrupt+0x77/0x90
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:33

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/8ae401525ae84228a8986bb369224a6224e4d22f - Patch () https://git.kernel.org/stable/c/8ae401525ae84228a8986bb369224a6224e4d22f - Patch
References () https://git.kernel.org/stable/c/e3f02f32a05009a688a87f5799e049ed6b55bab5 - Patch () https://git.kernel.org/stable/c/e3f02f32a05009a688a87f5799e049ed6b55bab5 - Patch

30 Jul 2024, 19:03

Type Values Removed Values Added
CWE CWE-476
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
First Time Linux
Linux linux Kernel
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ionic: corrige el pánico del kernel debido al manejo de múltiples búfer Actualmente, ionic_run_xdp() no maneja correctamente los paquetes de múltiples búfer para XDP_TX y XDP_REDIRECT. Cuando se recibe una trama gigante, ionic_run_xdp() primero crea una trama xdp con todas las páginas necesarias en el descriptor rx. Y si la acción es XDP_TX o XDP_REDIRECT, debería desasignar dma-mapping y restablecer el puntero de página a NULL para todas las páginas, no solo la primera. Pero no es así para las páginas SG. Por lo tanto, las páginas SG se reutilizarán inesperadamente. Eventualmente causa pánico en el kernel. Vaya: fallo de protección general, probablemente para la dirección no canónica 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25 RIP: 0010:xdp_return_frame+0x42/ 0x90 Código: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd 41&gt; 80 7d0 RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202 RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 00000000000000001 RDX: 00000000670e1000 RSI 000 000011f90d000 RDI: 504f4e4d4c4b4a49 RBP: ffff99d003907740 R08: 0000000000000000 R09: 00000000000000000 R10: 000000011f90d000 R11: 00000000000 R12: ffff8d325f904010 R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0 FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 050033 CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0 PKRU: 55555554 Seguimiento de llamadas: ? die_addr+0x33/0x90? exc_general_protection+0x251/0x2f0? asm_exc_general_protection+0x22/0x30? xdp_return_frame+0x42/0x90 ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c65 5c59c54812b319ed2cd015] ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] __napi_poll.constprop.0+0x29/0x1b0 net_rx_action+0x2c4/0x 350 handle_softirqs+0xf4/ 0x320 irq_exit_rcu+0x78/0xa0 interrupción_común+0x77/0x90
References () https://git.kernel.org/stable/c/8ae401525ae84228a8986bb369224a6224e4d22f - () https://git.kernel.org/stable/c/8ae401525ae84228a8986bb369224a6224e4d22f - Patch
References () https://git.kernel.org/stable/c/e3f02f32a05009a688a87f5799e049ed6b55bab5 - () https://git.kernel.org/stable/c/e3f02f32a05009a688a87f5799e049ed6b55bab5 - Patch

29 Jul 2024, 16:21

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-29 16:15

Updated : 2024-11-21 09:33


NVD link : CVE-2024-42083

Mitre link : CVE-2024-42083

CVE.ORG link : CVE-2024-42083


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference