CVE-2022-48652
Vulnerability from cvelistv5
Published
2024-04-28 13:00
Modified
2024-11-04 12:14
Severity ?
EPSS score ?
Summary
ice: Fix crash by keep old cfg when update TCs more than queues
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2022-48652", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-28T18:39:48.506464Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:36.260Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T15:17:55.623Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/7c945e5b4787db47d728120b56c934ba05f99864" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a509702cac95a8b450228a037c8542f57e538e5b" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/ice/ice_lib.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7c945e5b4787", "status": "affected", "version": "a632b2a4c920", "versionType": "git" }, { "lessThan": "a509702cac95", "status": "affected", "version": "a632b2a4c920", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/ice/ice_lib.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.19.*", "status": "unaffected", "version": "5.19.12", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.0", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix crash by keep old cfg when update TCs more than queues\n\nThere are problems if allocated queues less than Traffic Classes.\n\nCommit a632b2a4c920 (\"ice: ethtool: Prohibit improper channel config\nfor DCB\") already disallow setting less queues than TCs.\n\nAnother case is if we first set less queues, and later update more TCs\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\n\n[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\n[ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\n[ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\n[ 95.969621] general protection fault: 0000 [#1] SMP NOPTI\n[ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1\n[ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\n[ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\n[ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 \u003c8b\u003e 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\n[ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\n[ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\n[ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\n[ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\n[ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\n[ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\n[ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\n[ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\n[ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 95.971530] PKRU: 55555554\n[ 95.971573] Call Trace:\n[ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice]\n[ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice]\n[ 95.971774] ice_vsi_open+0x25/0x120 [ice]\n[ 95.971843] ice_open_internal+0xb8/0x1f0 [ice]\n[ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice]\n[ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\n[ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice]\n[ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice]\n[ 95.972220] dcbnl_ieee_set+0x89/0x230\n[ 95.972279] ? dcbnl_ieee_del+0x150/0x150\n[ 95.972341] dcb_doit+0x124/0x1b0\n[ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0\n[ 95.972457] ? dcb_doit+0x14d/0x1b0\n[ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280\n[ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100\n[ 95.972661] netlink_rcv_skb+0xcf/0xf0\n[ 95.972720] netlink_unicast+0x16d/0x220\n[ 95.972781] netlink_sendmsg+0x2ba/0x3a0\n[ 95.975891] sock_sendmsg+0x4c/0x50\n[ 95.979032] ___sys_sendmsg+0x2e4/0x300\n[ 95.982147] ? kmem_cache_alloc+0x13e/0x190\n[ 95.985242] ? __wake_up_common_lock+0x79/0x90\n[ 95.988338] ? __check_object_size+0xac/0x1b0\n[ 95.991440] ? _copy_to_user+0x22/0x30\n[ 95.994539] ? move_addr_to_user+0xbb/0xd0\n[ 95.997619] ? __sys_sendmsg+0x53/0x80\n[ 96.000664] __sys_sendmsg+0x53/0x80\n[ 96.003747] do_syscall_64+0x5b/0x1d0\n[ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\nqueue map failed." } ], "providerMetadata": { "dateUpdated": "2024-11-04T12:14:01.384Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7c945e5b4787db47d728120b56c934ba05f99864" }, { "url": "https://git.kernel.org/stable/c/a509702cac95a8b450228a037c8542f57e538e5b" } ], "title": "ice: Fix crash by keep old cfg when update TCs more than queues", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-48652", "datePublished": "2024-04-28T13:00:47.842Z", "dateReserved": "2024-02-25T13:44:28.317Z", "dateUpdated": "2024-11-04T12:14:01.384Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-48652\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-28T13:15:07.477\",\"lastModified\":\"2024-04-29T12:42:03.667\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: Fix crash by keep old cfg when update TCs more than queues\\n\\nThere are problems if allocated queues less than Traffic Classes.\\n\\nCommit a632b2a4c920 (\\\"ice: ethtool: Prohibit improper channel config\\nfor DCB\\\") already disallow setting less queues than TCs.\\n\\nAnother case is if we first set less queues, and later update more TCs\\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\\n\\n[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\\n[ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\\n[ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\\n[ 95.969621] general protection fault: 0000 [#1] SMP NOPTI\\n[ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1\\n[ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\\n[ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\\n[ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 \u003c8b\u003e 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\\n[ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\\n[ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\\n[ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\\n[ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\\n[ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\\n[ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\\n[ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\\n[ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\\n[ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 95.971530] PKRU: 55555554\\n[ 95.971573] Call Trace:\\n[ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice]\\n[ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice]\\n[ 95.971774] ice_vsi_open+0x25/0x120 [ice]\\n[ 95.971843] ice_open_internal+0xb8/0x1f0 [ice]\\n[ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice]\\n[ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\\n[ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice]\\n[ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice]\\n[ 95.972220] dcbnl_ieee_set+0x89/0x230\\n[ 95.972279] ? dcbnl_ieee_del+0x150/0x150\\n[ 95.972341] dcb_doit+0x124/0x1b0\\n[ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0\\n[ 95.972457] ? dcb_doit+0x14d/0x1b0\\n[ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280\\n[ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100\\n[ 95.972661] netlink_rcv_skb+0xcf/0xf0\\n[ 95.972720] netlink_unicast+0x16d/0x220\\n[ 95.972781] netlink_sendmsg+0x2ba/0x3a0\\n[ 95.975891] sock_sendmsg+0x4c/0x50\\n[ 95.979032] ___sys_sendmsg+0x2e4/0x300\\n[ 95.982147] ? kmem_cache_alloc+0x13e/0x190\\n[ 95.985242] ? __wake_up_common_lock+0x79/0x90\\n[ 95.988338] ? __check_object_size+0xac/0x1b0\\n[ 95.991440] ? _copy_to_user+0x22/0x30\\n[ 95.994539] ? move_addr_to_user+0xbb/0xd0\\n[ 95.997619] ? __sys_sendmsg+0x53/0x80\\n[ 96.000664] __sys_sendmsg+0x53/0x80\\n[ 96.003747] do_syscall_64+0x5b/0x1d0\\n[ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca\\n\\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\\nqueue map failed.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: se corrige el fallo manteniendo cfg antiguo cuando se actualizan TC m\u00e1s que colas. Hay problemas si se asignan colas con menos clases de tr\u00e1fico. el commit a632b2a4c920 (\\\"ice: ethtool: Prohibir configuraci\u00f3n de canal incorrecta para DCB\\\") ya no permite configurar menos colas que los TC. Otro caso es si primero configuramos menos colas y luego actualizamos m\u00e1s configuraciones de TC debido a LLDP, ice_vsi_cfg_tc() fallar\u00e1 pero dejar\u00e1 num_txq/rxq y tc_cfg sucios en vsi, lo que provocar\u00e1 un acceso al puntero no v\u00e1lido. [ 95.968089] ice 0000:3b:00.1: M\u00e1s TC definidos que colas/anillos asignados. [ 95.968092] ice 0000:3b:00.1: \u00a1Intentando utilizar m\u00e1s colas de Rx (8) de las asignadas (1)! [ 95.968093] ice 0000:3b:00.1: Error al configurar TC para \u00edndice VSI: 0 [ 95.969621] falla de protecci\u00f3n general: 0000 [#1] SMP NOPTI [ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: cargado Contaminado: GUWO --------- -t - 4.18.0 #1 [ 95.969867] Nombre de hardware: OEM/BC11SPSCB10, BIOS 8.23 30/12/2021 [ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60 [ 95.970052] C\u00f3digo: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 \u0026lt;8b\u0026gt; 97 0 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c [ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206 [ 95.970425] RAX: muerto0000000 00200 RBX: ffffea003c425b00 RCX: 00000000006080c0 [ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: muerto000000000200 [ 95.970648] RBP: muerto000000000200 R08: 00000000000463c0 R09: ffff888ffa900000 [ 95.970760] R10: 0000000000000000 R11: 00000000000002 R12: ffff888ff6b40100 [ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460 [ 95.970981] FS: 1b7d24700(0000) GS: ffff88903ee80000(0000) knlGS:00000000000000000 [ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.971197] CR2: 10 CR3: 0000000f2c1de002 CR4: 00000000007606e0 [ 95.971309] DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 [ 95.971419 ] DR3 : 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 95.971530] PKRU: 55555554 [ 95.971573] Seguimiento de llamadas: [ 95.971622] x110 [hielo] [ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [hielo] [ 95.971774] ice_vsi_open+0x25/0x120 [hielo] [ 95.971843] ice_open_internal+0xb8/0x1f0 [hielo] [ 95.971919] ice_ena_vsi+0x4f/0xd0 [hielo] [ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [hielo] [ 95.972082] f_dcb_cfg+0x29a/0x380 [hielo ] [ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [hielo] [ 95.972220] dcbnl_ieee_set+0x89/0x230 [ 95.972279] ? dcbnl_ieee_del+0x150/0x150 [ 95.972341] dcb_doit+0x124/0x1b0 [ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0 [ 95.972457] ? dcb_doit+0x14d/0x1b0 [95.972510]? __kmalloc_node_track_caller+0x1d3/0x280 [95.972591]? rtnl_calcit.isra.31+0x100/0x100 [ 95.972661] netlink_rcv_skb+0xcf/0xf0 [ 95.972720] netlink_unicast+0x16d/0x220 [ 95.972781] netlink_sendmsg+0x2ba/0x3a0 [ 95.975 891] sock_sendmsg+0x4c/0x50 [ 95.979032] ___sys_sendmsg+0x2e4/0x300 [ 95.982147] ? kmem_cache_alloc+0x13e/0x190 [95.985242]? __wake_up_common_lock+0x79/0x90 [95.988338]? __check_object_size+0xac/0x1b0 [ 95.991440] ? _copiar_al_usuario+0x22/0x30 [ 95.994539] ? move_addr_to_user+0xbb/0xd0 [95.997619]? __sys_sendmsg+0x53/0x80 [ 96.000664] __sys_sendmsg+0x53/0x80 [ 96.003747] do_syscall_64+0x5b/0x1d0 [ 96.006862] Entry_SYSCALL_64_after_hwframe+0x65/0xca Solo actualizaci\u00f3n num_txq/rxq cuando se pasa la verificaci\u00f3n y restaura tc_cfg si falla el mapa de cola de configuraci\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7c945e5b4787db47d728120b56c934ba05f99864\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a509702cac95a8b450228a037c8542f57e538e5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.