{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-40923","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.582Z","datePublished":"2024-07-12T12:25:04.245Z","dateUpdated":"2025-05-04T09:17:55.502Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:17:55.502Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: disable rx data ring on dma allocation failure\n\nWhen vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,\nthe subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset\nrq->data_ring.desc_size for the data ring that failed, which presumably\ncauses the hypervisor to reference it on packet reception.\n\nTo fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell\nthe hypervisor to disable this feature.\n\n[   95.436876] kernel BUG at net/core/skbuff.c:207!\n[   95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[   95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1\n[   95.441558] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018\n[   95.443481] RIP: 0010:skb_panic+0x4d/0x4f\n[   95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50\nff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9\nff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24\n[   95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246\n[   95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f\n[   95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f\n[   95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60\n[   95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000\n[   95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0\n[   95.455682] FS:  0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000\n[   95.457178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0\n[   95.459791] Call Trace:\n[   95.460515]  <IRQ>\n[   95.461180]  ? __die_body.cold+0x19/0x27\n[   95.462150]  ? die+0x2e/0x50\n[   95.462976]  ? do_trap+0xca/0x110\n[   95.463973]  ? do_error_trap+0x6a/0x90\n[   95.464966]  ? skb_panic+0x4d/0x4f\n[   95.465901]  ? exc_invalid_op+0x50/0x70\n[   95.466849]  ? skb_panic+0x4d/0x4f\n[   95.467718]  ? asm_exc_invalid_op+0x1a/0x20\n[   95.468758]  ? skb_panic+0x4d/0x4f\n[   95.469655]  skb_put.cold+0x10/0x10\n[   95.470573]  vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]\n[   95.471853]  vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]\n[   95.473185]  __napi_poll+0x2b/0x160\n[   95.474145]  net_rx_action+0x2c6/0x3b0\n[   95.475115]  handle_softirqs+0xe7/0x2a0\n[   95.476122]  __irq_exit_rcu+0x97/0xb0\n[   95.477109]  common_interrupt+0x85/0xa0\n[   95.478102]  </IRQ>\n[   95.478846]  <TASK>\n[   95.479603]  asm_common_interrupt+0x26/0x40\n[   95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20\n[   95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90\n[   95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246\n[   95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000\n[   95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001\n[   95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3\n[   95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260\n[   95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000\n[   95.495035]  acpi_safe_halt+0x14/0x20\n[   95.496127]  acpi_idle_do_entry+0x2f/0x50\n[   95.497221]  acpi_idle_enter+0x7f/0xd0\n[   95.498272]  cpuidle_enter_state+0x81/0x420\n[   95.499375]  cpuidle_enter+0x2d/0x40\n[   95.500400]  do_idle+0x1e5/0x240\n[   95.501385]  cpu_startup_entry+0x29/0x30\n[   95.502422]  start_secondary+0x11c/0x140\n[   95.503454]  common_startup_64+0x13e/0x141\n[   95.504466]  </TASK>\n[   95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4\nnft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/vmxnet3/vmxnet3_drv.c"],"versions":[{"version":"6f4833383e8514ea796d094e05c24889b8997fde","lessThan":"9ee14af24e67ef170108db547f7d1f701b3f2bc5","status":"affected","versionType":"git"},{"version":"6f4833383e8514ea796d094e05c24889b8997fde","lessThan":"aa116ae9d169e28b692292460aed27fc44f4a017","status":"affected","versionType":"git"},{"version":"6f4833383e8514ea796d094e05c24889b8997fde","lessThan":"ffbe335b8d471f79b259e950cb20999700670456","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/vmxnet3/vmxnet3_drv.c"],"versions":[{"version":"6.3","status":"affected"},{"version":"0","lessThan":"6.3","status":"unaffected","versionType":"semver"},{"version":"6.6.35","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.6","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.6.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.9.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5"},{"url":"https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017"},{"url":"https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456"}],"title":"vmxnet3: disable rx data ring on dma allocation failure","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:39:55.850Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/9ee14af24e67ef170108db547f7d1f701b3f2bc5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/aa116ae9d169e28b692292460aed27fc44f4a017","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/ffbe335b8d471f79b259e950cb20999700670456","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-40923","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T17:05:24.017476Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:28.476Z"}}]}}