Lucene search

LinuxCVE-2024-39506

HistoryJul 12, 2024 - 1:15 p.m.

CVE-2024-39506

2024-07-1213:15:12

CWE-476

Linux

web.nvd.nist.gov

linux kernel

liquidio

vulnerability

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

Low

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
but then it is unconditionally passed to skb_add_rx_frag() which looks
strange and could lead to null pointer dereference.

lio_vf_rep_copy_packet() call trace looks like:
octeon_droq_process_packets
octeon_droq_fast_process_packets
octeon_droq_dispatch_pkt
octeon_create_recv_info
…search in the dispatch_list…
->disp_fn(rdisp->rinfo, …)
lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, …)
In this path there is no code which sets pg_info->page to NULL.
So this check looks unneeded and doesn’t solve potential problem.
But I guess the author had reason to add a check and I have no such card
and can’t do real test.
In addition, the code in the function liquidio_push_packet() in
liquidio/lio_core.c does exactly the same.

Based on this, I consider the most acceptable compromise solution to
adjust this issue by moving skb_add_rx_frag() into conditional scope.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Affected configurations

Nvd

Vulners

Node

linuxlinux_kernelRange4.15–4.19.317

linuxlinux_kernelRange4.20–5.4.279

linuxlinux_kernelRange5.5–5.10.221

linuxlinux_kernelRange5.11–5.15.162

linuxlinux_kernelRange5.16–6.1.95

linuxlinux_kernelRange6.2–6.6.35

linuxlinux_kernelRange6.7–6.9.6

linuxlinux_kernelMatch6.10rc1

linuxlinux_kernelMatch6.10rc2

linuxlinux_kernelMatch6.10rc3

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.10	cpe:2.3:o:linux:linux_kernel:6.10:rc1::::::
linux	linux_kernel	6.10	cpe:2.3:o:linux:linux_kernel:6.10:rc2::::::
linux	linux_kernel	6.10	cpe:2.3:o:linux:linux_kernel:6.10:rc3::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c"
    ],
    "versions": [
      {
        "version": "1f233f327913",
        "lessThan": "87d6bdc006f0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "dcc7440f32c7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "cbf18d8128a7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "a86490a3712c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "f1ab15a09492",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "fd2b613bc4c5",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "a6f4d0ec170a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1f233f327913",
        "lessThan": "c44711b78608",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c"
    ],
    "versions": [
      {
        "version": "4.15",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.15",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.317",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.279",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.221",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.162",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.95",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.35",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.6",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]