GHSA-H3QM-53P9-W8C6

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-06 21:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: enetc: Do not configure preemptible TCs if SIs do not support

Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows.

root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]---

In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:24Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: Do not configure preemptible TCs if SIs do not support\n\nBoth ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure\nMQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()\nto configure preemptible TCs. However, only PF is able to configure\npreemptible TCs. Because only PF has related registers, while VF does not\nhave these registers. So for VF, its hw-\u003eport pointer is NULL. Therefore,\nVF will access an invalid pointer when accessing a non-existent register,\nwhich will cause a crash issue. The simplified log is as follows.\n\nroot@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \\\nmqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1\n[  187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00\n[  187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[  187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400\n[  187.511140] Call trace:\n[  187.513588]  enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[  187.518918]  enetc_setup_tc_mqprio+0x180/0x214\n[  187.523374]  enetc_vf_setup_tc+0x1c/0x30\n[  187.527306]  mqprio_enable_offload+0x144/0x178\n[  187.531766]  mqprio_init+0x3ec/0x668\n[  187.535351]  qdisc_create+0x15c/0x488\n[  187.539023]  tc_modify_qdisc+0x398/0x73c\n[  187.542958]  rtnetlink_rcv_msg+0x128/0x378\n[  187.547064]  netlink_rcv_skb+0x60/0x130\n[  187.550910]  rtnetlink_rcv+0x18/0x24\n[  187.554492]  netlink_unicast+0x300/0x36c\n[  187.558425]  netlink_sendmsg+0x1a8/0x420\n[  187.606759] ---[ end trace 0000000000000000 ]---\n\nIn addition, some PFs also do not support configuring preemptible TCs,\nsuch as eno1 and eno3 on LS1028A. It won\u0027t crash like it does for VFs,\nbut we should prevent these PFs from accessing these unimplemented\nregisters.",
  "id": "GHSA-h3qm-53p9-w8c6",
  "modified": "2025-01-06T21:30:50Z",
  "published": "2024-12-27T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56649"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66127f0d1ecf00604aeab71132bde398fd9ec7c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2420b8c81ec674552d00c55d46245e5c184b260"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b718b68a9964181e24d15138a09ce95785a19002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.