{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-46766","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-09-11T15:12:18.273Z","datePublished":"2024-09-18T07:12:25.353Z","dateUpdated":"2025-05-04T09:33:46.984Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:33:46.984Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: move netif_queue_set_napi to rtnl-protected sections\n\nCurrently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is\nnot rtnl-locked when called from the reset. This creates the need to take\nthe rtnl_lock just for a single function and complicates the\nsynchronization with .ndo_bpf. At the same time, there no actual need to\nfill napi-to-queue information at this exact point.\n\nFill napi-to-queue information when opening the VSI and clear it when the\nVSI is being closed. Those routines are already rtnl-locked.\n\nAlso, rewrite napi-to-queue assignment in a way that prevents inclusion of\nXDP queues, as this leads to out-of-bounds writes, such as one below.\n\n[  +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047\n[  +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2\n[  +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021\n[  +0.000003] Call Trace:\n[  +0.000003]  <TASK>\n[  +0.000002]  dump_stack_lvl+0x60/0x80\n[  +0.000007]  print_report+0xce/0x630\n[  +0.000007]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  +0.000007]  ? __virt_addr_valid+0x1c9/0x2c0\n[  +0.000005]  ? netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000003]  kasan_report+0xe9/0x120\n[  +0.000004]  ? netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000004]  netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000005]  ice_vsi_close+0x161/0x670 [ice]\n[  +0.000114]  ice_dis_vsi+0x22f/0x270 [ice]\n[  +0.000095]  ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice]\n[  +0.000086]  ice_prepare_for_reset+0x299/0x750 [ice]\n[  +0.000087]  pci_dev_save_and_disable+0x82/0xd0\n[  +0.000006]  pci_reset_function+0x12d/0x230\n[  +0.000004]  reset_store+0xa0/0x100\n[  +0.000006]  ? __pfx_reset_store+0x10/0x10\n[  +0.000002]  ? __pfx_mutex_lock+0x10/0x10\n[  +0.000004]  ? __check_object_size+0x4c1/0x640\n[  +0.000007]  kernfs_fop_write_iter+0x30b/0x4a0\n[  +0.000006]  vfs_write+0x5d6/0xdf0\n[  +0.000005]  ? fd_install+0x180/0x350\n[  +0.000005]  ? __pfx_vfs_write+0x10/0xA10\n[  +0.000004]  ? do_fcntl+0x52c/0xcd0\n[  +0.000004]  ? kasan_save_track+0x13/0x60\n[  +0.000003]  ? kasan_save_free_info+0x37/0x60\n[  +0.000006]  ksys_write+0xfa/0x1d0\n[  +0.000003]  ? __pfx_ksys_write+0x10/0x10\n[  +0.000002]  ? __x64_sys_fcntl+0x121/0x180\n[  +0.000004]  ? _raw_spin_lock+0x87/0xe0\n[  +0.000005]  do_syscall_64+0x80/0x170\n[  +0.000007]  ? _raw_spin_lock+0x87/0xe0\n[  +0.000004]  ? __pfx__raw_spin_lock+0x10/0x10\n[  +0.000003]  ? file_close_fd_locked+0x167/0x230\n[  +0.000005]  ? syscall_exit_to_user_mode+0x7d/0x220\n[  +0.000005]  ? do_syscall_64+0x8c/0x170\n[  +0.000004]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? fput+0x1a/0x2c0\n[  +0.000004]  ? filp_close+0x19/0x30\n[  +0.000004]  ? do_dup2+0x25a/0x4c0\n[  +0.000004]  ? __x64_sys_dup2+0x6e/0x2e0\n[  +0.000002]  ? syscall_exit_to_user_mode+0x7d/0x220\n[  +0.000004]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? __count_memcg_events+0x113/0x380\n[  +0.000005]  ? handle_mm_fault+0x136/0x820\n[  +0.000005]  ? do_user_addr_fault+0x444/0xa80\n[  +0.000004]  ? clear_bhb_loop+0x25/0x80\n[  +0.000004]  ? clear_bhb_loop+0x25/0x80\n[  +0.000002]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  +0.000005] RIP: 0033:0x7f2033593154"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_base.c","drivers/net/ethernet/intel/ice/ice_lib.c","drivers/net/ethernet/intel/ice/ice_lib.h","drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"91fdbce7e8d69be255b45bfeb52092629a50e267","lessThan":"2285c2faef19ee08a6bd6754f4c3ec07dceb2889","status":"affected","versionType":"git"},{"version":"91fdbce7e8d69be255b45bfeb52092629a50e267","lessThan":"2a5dc090b92cfa5270e20056074241c6db5c9cdd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_base.c","drivers/net/ethernet/intel/ice/ice_lib.c","drivers/net/ethernet/intel/ice/ice_lib.h","drivers/net/ethernet/intel/ice/ice_main.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.10.10","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.10.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2285c2faef19ee08a6bd6754f4c3ec07dceb2889"},{"url":"https://git.kernel.org/stable/c/2a5dc090b92cfa5270e20056074241c6db5c9cdd"}],"title":"ice: move netif_queue_set_napi to rtnl-protected sections","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-29T14:42:30.909081Z","id":"CVE-2024-46766","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-29T14:42:45.913Z"}}]}}