CVE-2026-31505

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()<br /> <br /> iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the<br /> value could change in runtime, we should use num_tx_queues instead.<br /> <br /> Moreover iavf_get_ethtool_stats() uses num_active_queues while<br /> iavf_get_sset_count() and iavf_get_stat_strings() use<br /> real_num_tx_queues, which triggers out-of-bounds writes when we do<br /> "ethtool -L" and "ethtool -S" simultaneously [1].<br /> <br /> For example when we change channels from 1 to 8, Thread 3 could be<br /> scheduled before Thread 2, and out-of-bounds writes could be triggered<br /> in Thread 3:<br /> <br /> Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)<br /> iavf_set_channels()<br /> ...<br /> iavf_alloc_queues()<br /> -&gt; num_active_queues = 8<br /> iavf_schedule_finish_config()<br /> iavf_get_sset_count()<br /> real_num_tx_queues: 1<br /> -&gt; buffer for 1 queue<br /> iavf_get_ethtool_stats()<br /> num_active_queues: 8<br /> -&gt; out-of-bounds!<br /> iavf_finish_config()<br /> -&gt; real_num_tx_queues = 8<br /> <br /> Use immutable num_tx_queues in all related functions to avoid the issue.<br /> <br /> [1]<br /> BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270<br /> Write of size 8 at addr ffffc900031c9080 by task ethtool/5800<br /> <br /> CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6f/0xb0<br /> print_report+0x170/0x4f3<br /> kasan_report+0xe1/0x180<br /> iavf_add_one_ethtool_stat+0x200/0x270<br /> iavf_get_ethtool_stats+0x14c/0x2e0<br /> __dev_ethtool+0x3d0c/0x5830<br /> dev_ethtool+0x12d/0x270<br /> dev_ioctl+0x53c/0xe30<br /> sock_do_ioctl+0x1a9/0x270<br /> sock_ioctl+0x3d4/0x5e0<br /> __x64_sys_ioctl+0x137/0x1c0<br /> do_syscall_64+0xf3/0x690<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f7da0e6e36d<br /> ...<br /> <br /> <br /> The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830<br /> The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000<br /> index:0xffff88813a013de0 pfn:0x13a013<br /> flags: 0x200000000000000(node=0|zone=2)<br /> raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000<br /> raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ^<br /> ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8