{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-50042","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.071Z","datePublished":"2024-10-21T19:39:41.084Z","dateUpdated":"2025-05-04T12:59:25.767Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:59:25.767Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix increasing MSI-X on VF\n\nIncreasing MSI-X value on a VF leads to invalid memory operations. This\nis caused by not reallocating some arrays.\n\nReproducer:\n  modprobe ice\n  echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe\n  echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs\n  echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count\n\nDefault MSI-X is 16, so 17 and above triggers this issue.\n\nKASAN reports:\n\n  BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n  Read of size 8 at addr ffff8888b937d180 by task bash/28433\n  (...)\n\n  Call Trace:\n   (...)\n   ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n   kasan_report+0xed/0x120\n   ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n   ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n   ice_vsi_cfg_def+0x3360/0x4770 [ice]\n   ? mutex_unlock+0x83/0xd0\n   ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]\n   ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]\n   ice_vsi_cfg+0x7f/0x3b0 [ice]\n   ice_vf_reconfig_vsi+0x114/0x210 [ice]\n   ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]\n   sriov_vf_msix_count_store+0x21c/0x300\n   (...)\n\n  Allocated by task 28201:\n   (...)\n   ice_vsi_cfg_def+0x1c8e/0x4770 [ice]\n   ice_vsi_cfg+0x7f/0x3b0 [ice]\n   ice_vsi_setup+0x179/0xa30 [ice]\n   ice_sriov_configure+0xcaa/0x1520 [ice]\n   sriov_numvfs_store+0x212/0x390\n   (...)\n\nTo fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This\ncauses the required arrays to be reallocated taking the new queue count\ninto account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq\nbefore ice_vsi_rebuild(), so that realloc uses the newly set queue\ncount.\n\nAdditionally, ice_vsi_rebuild() does not remove VSI filters\n(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer\nnecessary."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_sriov.c","drivers/net/ethernet/intel/ice/ice_vf_lib.c","drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"],"versions":[{"version":"2a2cb4c6c18130e9f14d2e39deb75590744d98ef","lessThan":"cbda6197929418fabf0e45ecf9b7a76360944c70","status":"affected","versionType":"git"},{"version":"2a2cb4c6c18130e9f14d2e39deb75590744d98ef","lessThan":"bce9af1b030bf59d51bbabf909a3ef164787e44e","status":"affected","versionType":"git"},{"version":"8910b1cef190545085e9bb486f35dd30ad928a05","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_sriov.c","drivers/net/ethernet/intel/ice/ice_vf_lib.c","drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.11.4","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.11.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70"},{"url":"https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e"}],"title":"ice: Fix increasing MSI-X on VF","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-50042","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:24:38.498470Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:28:44.110Z"}}]}}