CVE-2024-40923
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-40923
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40923.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-40923
- Downstream
- Related
- Published
- 2024-07-12T12:25:04Z
- Modified
- 2025-10-17T02:46:27.344777Z
- Summary
- vmxnet3: disable rx data ring on dma allocation failure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: disable rx data ring on dma allocation failure
When vmxnet3rqcreate() fails to allocate memory for rq->dataring.base, the subsequent call to vmxnet3rqdestroyallrxdataring does not reset rq->dataring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception.
To fix this bug, rq->dataring.descsize needs to be set to 0 to tell the hypervisor to disable this feature.
[ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skbpanic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? _diebody.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? dotrap+0xca/0x110 [ 95.463973] ? doerrortrap+0x6a/0x90 [ 95.464966] ? skbpanic+0x4d/0x4f [ 95.465901] ? excinvalidop+0x50/0x70 [ 95.466849] ? skbpanic+0x4d/0x4f [ 95.467718] ? asmexcinvalidop+0x1a/0x20 [ 95.468758] ? skbpanic+0x4d/0x4f [ 95.469655] skbput.cold+0x10/0x10 [ 95.470573] vmxnet3rqrxcomplete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3pollrxonly+0x36/0xb0 [vmxnet3] [ 95.473185] _napipoll+0x2b/0x160 [ 95.474145] netrxaction+0x2c6/0x3b0 [ 95.475115] handlesoftirqs+0xe7/0x2a0 [ 95.476122] _irqexitrcu+0x97/0xb0 [ 95.477109] commoninterrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asmcommoninterrupt+0x26/0x40 [ 95.480657] RIP: 0010:pvnativesafehalt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpisafehalt+0x14/0x20 [ 95.496127] acpiidledoentry+0x2f/0x50 [ 95.497221] acpiidleenter+0x7f/0xd0 [ 95.498272] cpuidleenterstate+0x81/0x420 [ 95.499375] cpuidleenter+0x2d/0x40 [ 95.500400] doidle+0x1e5/0x240 [ 95.501385] cpustartupentry+0x29/0x30 [ 95.502422] startsecondary+0x11c/0x140 [ 95.503454] commonstartup64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragip ---truncated---
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6f4833383e8514ea796d094e05c24889b8997fdeFixed9ee14af24e67ef170108db547f7d1f701b3f2bc5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6f4833383e8514ea796d094e05c24889b8997fdeFixedaa116ae9d169e28b692292460aed27fc44f4a017
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6f4833383e8514ea796d094e05c24889b8997fdeFixedffbe335b8d471f79b259e950cb20999700670456
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"id": "CVE-2024-40923-0966a8a7",
"target": {
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ee14af24e67ef170108db547f7d1f701b3f2bc5",
"digest": {
"line_hashes": [
"273026651954499354304692748195527355722",
"7701118455507298068231473787329971153",
"24065623485150556736541466133721481728",
"177317753454207419044745413763990245716",
"93662261141235397336793541586627527916"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"id": "CVE-2024-40923-2a0af45f",
"target": {
"function": "vmxnet3_rq_destroy_all_rxdataring",
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ee14af24e67ef170108db547f7d1f701b3f2bc5",
"digest": {
"function_hash": "82365007471190295612415313343296706716",
"length": 419.0
}
},
{
"signature_type": "Function",
"id": "CVE-2024-40923-5553fc4b",
"target": {
"function": "vmxnet3_rq_destroy_all_rxdataring",
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aa116ae9d169e28b692292460aed27fc44f4a017",
"digest": {
"function_hash": "82365007471190295612415313343296706716",
"length": 419.0
}
},
{
"signature_type": "Function",
"id": "CVE-2024-40923-79743080",
"target": {
"function": "vmxnet3_rq_destroy_all_rxdataring",
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ffbe335b8d471f79b259e950cb20999700670456",
"digest": {
"function_hash": "82365007471190295612415313343296706716",
"length": 419.0
}
},
{
"signature_type": "Line",
"id": "CVE-2024-40923-d80fcec9",
"target": {
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aa116ae9d169e28b692292460aed27fc44f4a017",
"digest": {
"line_hashes": [
"273026651954499354304692748195527355722",
"7701118455507298068231473787329971153",
"24065623485150556736541466133721481728",
"177317753454207419044745413763990245716",
"93662261141235397336793541586627527916"
],
"threshold": 0.9
}
},
{
"signature_type": "Line",
"id": "CVE-2024-40923-f57539d9",
"target": {
"file": "drivers/net/vmxnet3/vmxnet3_drv.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ffbe335b8d471f79b259e950cb20999700670456",
"digest": {
"line_hashes": [
"273026651954499354304692748195527355722",
"7701118455507298068231473787329971153",
"24065623485150556736541466133721481728",
"177317753454207419044745413763990245716",
"93662261141235397336793541586627527916"
],
"threshold": 0.9
}
}
]