|
Vulnerabilities
< Back

CVE-2024-39506

Updated on 12 Jul 2024

Severity

5.5 Medium severity

Details

CVSS score
5.5
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

In the Linux kernel, the following vulnerability has been resolved:

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference.

lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info …search in the dispatch_list… ->disp_fn(rdisp->rinfo, …) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, …) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn’t solve potential problem. But I guess the author had reason to add a check and I have no such card and can’t do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same.

Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Details

Affected product:
AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
Affected packages:
kernel-uek @ 5.4.17 (+13 more)

In the Linux kernel, the following vulnerability has been resolved:

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference.

lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info …search in the dispatch_list… ->disp_fn(rdisp->rinfo, …) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, …) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn’t solve potential problem. But I guess the author had reason to add a check and I have no such card and can’t do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same.

Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes