CVE-2024-46770

Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below.

Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/<interface>/device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c <interface>

BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:icegetqcoalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: <TASK> icegetcoalesce+0x17/0x30 [ice] coalescepreparedata+0x61/0x80 ethnldefaultdoit+0xde/0x340 genlfamilyrcvmsgdoit+0xf2/0x150 genlrcvmsg+0x1b3/0x2c0 netlinkrcvskb+0x5b/0x110 genlrcv+0x28/0x40 netlinkunicast+0x19c/0x290 netlinksendmsg+0x222/0x490 _syssendto+0x1df/0x1f0 _x64syssendto+0x24/0x30 dosyscall64+0x82/0x160 entrySYSCALL64after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27

Calling netifdevicedetach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message:

netlink error: No such device

instead of NULL pointer dereference. Once reset is done and icerebuild() is executing, the netifdevice_attach() is called to allow for ethtool operations to occur again in a safe manner.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fcea6f3da546b93050f3534aadea7bd96c1d7349

Fixed

9e3ffb839249eca113062587659224f856fe14e5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fcea6f3da546b93050f3534aadea7bd96c1d7349

Fixed

efe8effe138044a4747d1112ebb8c454d1663723

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fcea6f3da546b93050f3534aadea7bd96c1d7349

Fixed

36486c9e8e01b84faaee47203eac0b7e9cc7fa4a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fcea6f3da546b93050f3534aadea7bd96c1d7349

Fixed

d11a67634227f9f9da51938af085fb41a733848f

Affected versions

v4.*

v4.16

v4.16-rc7

v4.17

v4.17-rc1

v4.17-rc2

v4.17-rc3

v4.17-rc4

v4.17-rc5

v4.17-rc6

v4.17-rc7

v4.18

v4.18-rc1

v4.18-rc2

v4.18-rc3

v4.18-rc4

v4.18-rc5

v4.18-rc6

v4.18-rc7

v4.18-rc8

v4.19

v4.19-rc1

v4.19-rc2

v4.19-rc3

v4.19-rc4

v4.19-rc5

v4.19-rc6

v4.19-rc7

v4.19-rc8

v4.20

v4.20-rc1

v4.20-rc2

v4.20-rc3

v4.20-rc4

v4.20-rc5

v4.20-rc6

v4.20-rc7

v5.*

v5.0

v5.0-rc1

v5.0-rc2

v5.0-rc3

v5.0-rc4

v5.0-rc5

v5.0-rc6

v5.0-rc7

v5.0-rc8

v5.1

v5.1-rc1

v5.1-rc2

v5.1-rc3

v5.1-rc4

v5.1-rc5

v5.1-rc6

v5.1-rc7

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.2

v5.2-rc1

v5.2-rc2

v5.2-rc3

v5.2-rc4

v5.2-rc5

v5.2-rc6

v5.2-rc7

v5.3

v5.3-rc1

v5.3-rc2

v5.3-rc3

v5.3-rc4

v5.3-rc5

v5.3-rc6

v5.3-rc7

v5.3-rc8

v5.4

v5.4-rc1

v5.4-rc2

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2024-46770-2166c70c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d11a67634227f9f9da51938af085fb41a733848f",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "330444835366905997922868531986406971747",
                "26805119935477371479795987512246371195",
                "176771073479013241439457730532544362253",
                "163017164442010051515906081045199106032",
                "58590860837792527913105940472904719396",
                "302327026480171407394034266404384155896",
                "11761200904809183763485153748033571936",
                "5530284780934747679076762865034891558",
                "237077036221371147636777531284728468388",
                "147290929939048209123036845836233198034",
                "275360570435139994830684744946251311656"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-46770-31111de4",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36486c9e8e01b84faaee47203eac0b7e9cc7fa4a",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "330444835366905997922868531986406971747",
                "26805119935477371479795987512246371195",
                "176771073479013241439457730532544362253",
                "163017164442010051515906081045199106032",
                "58590860837792527913105940472904719396",
                "302327026480171407394034266404384155896",
                "11761200904809183763485153748033571936",
                "5530284780934747679076762865034891558",
                "237077036221371147636777531284728468388",
                "147290929939048209123036845836233198034",
                "275360570435139994830684744946251311656"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-3e9d68c8",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@efe8effe138044a4747d1112ebb8c454d1663723",
        "signature_version": "v1",
        "target": {
            "function": "ice_rebuild",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "225746802865819291069641795229511707767",
            "length": 3492.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-5f7da1fa",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@efe8effe138044a4747d1112ebb8c454d1663723",
        "signature_version": "v1",
        "target": {
            "function": "ice_prepare_for_reset",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "216137888309728600795646213964400883204",
            "length": 1487.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-46770-80ec9513",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@efe8effe138044a4747d1112ebb8c454d1663723",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "330444835366905997922868531986406971747",
                "26805119935477371479795987512246371195",
                "176771073479013241439457730532544362253",
                "163017164442010051515906081045199106032",
                "58590860837792527913105940472904719396",
                "302327026480171407394034266404384155896",
                "11761200904809183763485153748033571936",
                "5530284780934747679076762865034891558",
                "237077036221371147636777531284728468388",
                "147290929939048209123036845836233198034",
                "275360570435139994830684744946251311656"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-a995e0b7",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36486c9e8e01b84faaee47203eac0b7e9cc7fa4a",
        "signature_version": "v1",
        "target": {
            "function": "ice_prepare_for_reset",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "10378462357495695949063033621245842830",
            "length": 1495.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-b17b2a56",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36486c9e8e01b84faaee47203eac0b7e9cc7fa4a",
        "signature_version": "v1",
        "target": {
            "function": "ice_rebuild",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "186061516981234776940901906378862657839",
            "length": 3294.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-46770-b4f86816",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e3ffb839249eca113062587659224f856fe14e5",
        "signature_version": "v1",
        "target": {
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "330444835366905997922868531986406971747",
                "26805119935477371479795987512246371195",
                "176771073479013241439457730532544362253",
                "163017164442010051515906081045199106032",
                "58590860837792527913105940472904719396",
                "302327026480171407394034266404384155896",
                "11761200904809183763485153748033571936",
                "5530284780934747679076762865034891558",
                "237077036221371147636777531284728468388",
                "147290929939048209123036845836233198034",
                "275360570435139994830684744946251311656"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-c562ccbf",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e3ffb839249eca113062587659224f856fe14e5",
        "signature_version": "v1",
        "target": {
            "function": "ice_prepare_for_reset",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "9822154483656828344741242943895553874",
            "length": 1447.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-da95a15e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d11a67634227f9f9da51938af085fb41a733848f",
        "signature_version": "v1",
        "target": {
            "function": "ice_rebuild",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "64414292198249555777218051765446240506",
            "length": 3281.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-f0aa99d5",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e3ffb839249eca113062587659224f856fe14e5",
        "signature_version": "v1",
        "target": {
            "function": "ice_rebuild",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "310584882740073465948449333337577569891",
            "length": 3427.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-46770-fe4e7e7d",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d11a67634227f9f9da51938af085fb41a733848f",
        "signature_version": "v1",
        "target": {
            "function": "ice_prepare_for_reset",
            "file": "drivers/net/ethernet/intel/ice/ice_main.c"
        },
        "digest": {
            "function_hash": "137011051058124509795331020174920082717",
            "length": 1503.0
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.17.0

Fixed

6.1.110

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.51

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.10