ghsa-j624-93rx-49pr
Vulnerability from github
Published
2024-07-29 15:30
Modified
2024-07-29 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix XDP program unloading while removing the driver

The commit 6533e558c650 ("i40e: Fix reset path while removing the driver") introduced a new PF state "__I40E_IN_REMOVE" to block modifying the XDP program while the driver is being removed. Unfortunately, such a change is useful only if the ".ndo_bpf()" callback was called out of the rmmod context because unloading the existing XDP program is also a part of driver removing procedure. In other words, from the rmmod context the driver is expected to unload the XDP program without reporting any errors. Otherwise, the kernel warning with callstack is printed out to dmesg.

Example failing scenario: 1. Load the i40e driver. 2. Load the XDP program. 3. Unload the i40e driver (using "rmmod" command).

The example kernel warning log:

[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870 [...] [ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870 [...] [ +0.002726] Call Trace: [ +0.002457] [ +0.002119] ? __warn+0x80/0x120 [ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870 [ +0.005586] ? report_bug+0x164/0x190 [ +0.003678] ? handle_bug+0x3c/0x80 [ +0.003503] ? exc_invalid_op+0x17/0x70 [ +0.003846] ? asm_exc_invalid_op+0x1a/0x20 [ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870 [ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870 [ +0.005586] unregister_netdevice_queue+0xf7/0x140 [ +0.004806] unregister_netdev+0x1c/0x30 [ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e] [ +0.004604] i40e_remove+0x1a1/0x420 [i40e] [ +0.004220] pci_device_remove+0x3f/0xb0 [ +0.003943] device_release_driver_internal+0x19f/0x200 [ +0.005243] driver_detach+0x48/0x90 [ +0.003586] bus_remove_driver+0x6d/0xf0 [ +0.003939] pci_unregister_driver+0x2e/0xb0 [ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e] [ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310 [ +0.005153] do_syscall_64+0x85/0x170 [ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220 [ +0.004886] ? do_syscall_64+0x95/0x170 [ +0.003851] ? exc_page_fault+0x7e/0x180 [ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79 [ +0.005064] RIP: 0033:0x7f59dc9347cb [ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48 [ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb [ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748 [ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000 [ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000 [ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000 [ +0.007151] [ +0.002204] ---[ end trace 0000000000000000 ]---

Fix this by checking if the XDP program is being loaded or unloaded. Then, block only loading a new program while "__I40E_IN_REMOVE" is set. Also, move testing "__I40E_IN_REMOVE" flag to the beginning of XDP_SETUP callback to avoid unnecessary operations and checks.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-41047"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T15:15:13Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[  +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[  +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[  +0.002726] Call Trace:\n[  +0.002457]  \u003cTASK\u003e\n[  +0.002119]  ? __warn+0x80/0x120\n[  +0.003245]  ? unregister_netdevice_many_notify+0x7a9/0x870\n[  +0.005586]  ? report_bug+0x164/0x190\n[  +0.003678]  ? handle_bug+0x3c/0x80\n[  +0.003503]  ? exc_invalid_op+0x17/0x70\n[  +0.003846]  ? asm_exc_invalid_op+0x1a/0x20\n[  +0.004200]  ? unregister_netdevice_many_notify+0x7a9/0x870\n[  +0.005579]  ? unregister_netdevice_many_notify+0x3cc/0x870\n[  +0.005586]  unregister_netdevice_queue+0xf7/0x140\n[  +0.004806]  unregister_netdev+0x1c/0x30\n[  +0.003933]  i40e_vsi_release+0x87/0x2f0 [i40e]\n[  +0.004604]  i40e_remove+0x1a1/0x420 [i40e]\n[  +0.004220]  pci_device_remove+0x3f/0xb0\n[  +0.003943]  device_release_driver_internal+0x19f/0x200\n[  +0.005243]  driver_detach+0x48/0x90\n[  +0.003586]  bus_remove_driver+0x6d/0xf0\n[  +0.003939]  pci_unregister_driver+0x2e/0xb0\n[  +0.004278]  i40e_exit_module+0x10/0x5f0 [i40e]\n[  +0.004570]  __do_sys_delete_module.isra.0+0x197/0x310\n[  +0.005153]  do_syscall_64+0x85/0x170\n[  +0.003684]  ? syscall_exit_to_user_mode+0x69/0x220\n[  +0.004886]  ? do_syscall_64+0x95/0x170\n[  +0.003851]  ? exc_page_fault+0x7e/0x180\n[  +0.003932]  entry_SYSCALL_64_after_hwframe+0x71/0x79\n[  +0.005064] RIP: 0033:0x7f59dc9347cb\n[  +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[  +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[  +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[  +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[  +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[  +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[  +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[  +0.007151]  \u003c/TASK\u003e\n[  +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.",
  "id": "GHSA-j624-93rx-49pr",
  "modified": "2024-07-29T15:30:42Z",
  "published": "2024-07-29T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41047"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.