CVE-2024-46770 Information
Description
In the Linux kernel the following vulnerability has been resolved:
ice: Add netif_device_attach/detach into PF reset flow
Ethtool callbacks can be executed while reset is in progress and try to access deleted resources e.g. getting coalesce settings can result in a NULL pointer dereference seen below.
Reproduction steps:
Once the driver is fully initialized trigger reset:
echo 1 > /sys/class/net/
BUG: kernel NULL pointer dereference address: 0000000000000020
PGD 0 P4D 0
Oops: Oops: 0000 [1] PREEMPT SMP PTI
CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ 7
RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
Call Trace:
Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued the attempt to execute an ethtool command during reset will result in the following message:
netlink error: No such device
instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.
Reference
https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5 https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723 https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f
Share on: