CVE-2024-46770

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Add netif_device_attach/detach into PF reset flow<br /> <br /> Ethtool callbacks can be executed while reset is in progress and try to<br /> access deleted resources, e.g. getting coalesce settings can result in a<br /> NULL pointer dereference seen below.<br /> <br /> Reproduction steps:<br /> Once the driver is fully initialized, trigger reset:<br /> # echo 1 &gt; /sys/class/net//device/reset<br /> when reset is in progress try to get coalesce settings using ethtool:<br /> # ethtool -c <br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000020<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7<br /> RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]<br /> RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206<br /> RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000<br /> R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40<br /> FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0<br /> Call Trace:<br /> <br /> ice_get_coalesce+0x17/0x30 [ice]<br /> coalesce_prepare_data+0x61/0x80<br /> ethnl_default_doit+0xde/0x340<br /> genl_family_rcv_msg_doit+0xf2/0x150<br /> genl_rcv_msg+0x1b3/0x2c0<br /> netlink_rcv_skb+0x5b/0x110<br /> genl_rcv+0x28/0x40<br /> netlink_unicast+0x19c/0x290<br /> netlink_sendmsg+0x222/0x490<br /> __sys_sendto+0x1df/0x1f0<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x82/0x160<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7faee60d8e27<br /> <br /> Calling netif_device_detach() before reset makes the net core not call<br /> the driver when ethtool command is issued, the attempt to execute an<br /> ethtool command during reset will result in the following message:<br /> <br /> netlink error: No such device<br /> <br /> instead of NULL pointer dereference. Once reset is done and<br /> ice_rebuild() is executing, the netif_device_attach() is called to allow<br /> for ethtool operations to occur again in a safe manner.