cve-2024-44932
Vulnerability from cvelistv5
Published
2024-08-26 10:11
Modified
2024-12-19 09:18
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix UAFs when destroying the queues
The second tagged commit started sometimes (very rarely, but possible)
throwing WARNs from
net/core/page_pool.c:page_pool_disable_direct_recycling().
Turned out idpf frees interrupt vectors with embedded NAPIs *before*
freeing the queues making page_pools' NAPI pointers lead to freed
memory before these pools are destroyed by libeth.
It's not clear whether there are other accesses to the freed vectors
when destroying the queues, but anyway, we usually free queue/interrupt
vectors only when the queues are destroyed and the NAPIs are guaranteed
to not be referenced anywhere.
Invert the allocation and freeing logic making queue/interrupt vectors
be allocated first and freed last. Vectors don't require queues to be
present, so this is safe. Additionally, this change allows to remove
that useless queue->q_vector pointer cleanup, as vectors are still
valid when freeing the queues (+ both are freed within one function,
so it's not clear why nullify the pointers at all).
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:27:58.052745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:06.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cde714b0e77206ed1b5cf31f28c18ba9ae946fd",
"status": "affected",
"version": "1c325aac10a82f11410da8a2bf35e3e410a42751",
"versionType": "git"
},
{
"lessThan": "290f1c033281c1a502a3cd1c53c3a549259c491f",
"status": "affected",
"version": "1c325aac10a82f11410da8a2bf35e3e410a42751",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix UAFs when destroying the queues\n\nThe second tagged commit started sometimes (very rarely, but possible)\nthrowing WARNs from\nnet/core/page_pool.c:page_pool_disable_direct_recycling().\nTurned out idpf frees interrupt vectors with embedded NAPIs *before*\nfreeing the queues making page_pools\u0027 NAPI pointers lead to freed\nmemory before these pools are destroyed by libeth.\nIt\u0027s not clear whether there are other accesses to the freed vectors\nwhen destroying the queues, but anyway, we usually free queue/interrupt\nvectors only when the queues are destroyed and the NAPIs are guaranteed\nto not be referenced anywhere.\n\nInvert the allocation and freeing logic making queue/interrupt vectors\nbe allocated first and freed last. Vectors don\u0027t require queues to be\npresent, so this is safe. Additionally, this change allows to remove\nthat useless queue-\u003eq_vector pointer cleanup, as vectors are still\nvalid when freeing the queues (+ both are freed within one function,\nso it\u0027s not clear why nullify the pointers at all)."
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:18:23.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cde714b0e77206ed1b5cf31f28c18ba9ae946fd"
},
{
"url": "https://git.kernel.org/stable/c/290f1c033281c1a502a3cd1c53c3a549259c491f"
}
],
"title": "idpf: fix UAFs when destroying the queues",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-44932",
"datePublished": "2024-08-26T10:11:23.115Z",
"dateReserved": "2024-08-21T05:34:56.664Z",
"dateUpdated": "2024-12-19T09:18:23.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-44932\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-26T11:15:05.500\",\"lastModified\":\"2024-08-27T16:08:45.020\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: fix UAFs when destroying the queues\\n\\nThe second tagged commit started sometimes (very rarely, but possible)\\nthrowing WARNs from\\nnet/core/page_pool.c:page_pool_disable_direct_recycling().\\nTurned out idpf frees interrupt vectors with embedded NAPIs *before*\\nfreeing the queues making page_pools\u0027 NAPI pointers lead to freed\\nmemory before these pools are destroyed by libeth.\\nIt\u0027s not clear whether there are other accesses to the freed vectors\\nwhen destroying the queues, but anyway, we usually free queue/interrupt\\nvectors only when the queues are destroyed and the NAPIs are guaranteed\\nto not be referenced anywhere.\\n\\nInvert the allocation and freeing logic making queue/interrupt vectors\\nbe allocated first and freed last. Vectors don\u0027t require queues to be\\npresent, so this is safe. Additionally, this change allows to remove\\nthat useless queue-\u003eq_vector pointer cleanup, as vectors are still\\nvalid when freeing the queues (+ both are freed within one function,\\nso it\u0027s not clear why nullify the pointers at all).\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: idpf: corrige UAF al destruir las colas. La segunda confirmaci\u00f3n etiquetada comenzaba a veces (muy raramente, pero posible) arrojando ADVERTENCIAS desde net/core/page_pool.c:page_pool_disable_direct_recycling(). Result\u00f3 que idpf libera los vectores de interrupci\u00f3n con NAPI incorporadas *antes* de liberar las colas, lo que hace que los punteros NAPI de page_pools conduzcan a la memoria liberada antes de que Libeth destruya estos grupos. No est\u00e1 claro si hay otros accesos a los vectores liberados al destruir las colas, pero de todos modos, generalmente liberamos vectores de cola/interrupci\u00f3n solo cuando las colas se destruyen y se garantiza que no se har\u00e1 referencia a las NAPI en ninguna parte. Invierta la l\u00f3gica de asignaci\u00f3n y liberaci\u00f3n haciendo que los vectores de cola/interrupci\u00f3n se asignen primero y se liberen al final. Los vectores no requieren la presencia de colas, por lo que esto es seguro. Adem\u00e1s, este cambio permite eliminar esa cola in\u00fatil-\u0026gt;limpieza del puntero q_vector, ya que los vectores siguen siendo v\u00e1lidos al liberar las colas (+ ambos se liberan dentro de una funci\u00f3n, por lo que no est\u00e1 claro por qu\u00e9 anular los punteros).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.5\",\"matchCriteriaId\":\"D074AE50-4A5E-499C-A2FD-75FD60DEA560\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/290f1c033281c1a502a3cd1c53c3a549259c491f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3cde714b0e77206ed1b5cf31f28c18ba9ae946fd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.