CVE-2024-35958
Description
In the Linux kernel, the following vulnerability has been resolved: net: ena: Fix incorrect descriptor free behavior ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description kernel: net: ena: Fix incorrect descriptor free behavior CVSS v3: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 8kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10RHSA-2024:43522024-07-08T00:00:00Z Red Hat Enterprise Linux 8kernel-0:4.18.0-553.8.1.el8_10RHSA-2024:42112024-07-02T00:00:00Z Red Hat Enterprise…
Description
kernel: net: ena: Fix incorrect descriptor free behavior
CVSS v3: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10 | RHSA-2024:4352 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8 | kernel-0:4.18.0-553.8.1.el8_10 | RHSA-2024:4211 | 2024-07-02T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | kernel-0:4.18.0-372.111.1.el8_6 | RHSA-2024:4447 | 2024-07-10T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | kernel-0:4.18.0-372.111.1.el8_6 | RHSA-2024:4447 | 2024-07-10T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | kernel-0:4.18.0-372.111.1.el8_6 | RHSA-2024:4447 | 2024-07-10T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | kernel-0:4.18.0-477.64.1.el8_8 | RHSA-2024:4740 | 2024-07-23T00:00:00Z |
| Red Hat Enterprise Linux 9 | kernel-0:5.14.0-427.26.1.el9_4 | RHSA-2024:4583 | 2024-07-17T00:00:00Z |
| Red Hat Enterprise Linux 9 | kernel-0:5.14.0-427.26.1.el9_4 | RHSA-2024:4583 | 2024-07-17T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Extended Update Support | kernel-0:5.14.0-284.71.1.el9_2 | RHSA-2024:4108 | 2024-06-26T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Extended Update Support | kernel-rt-0:5.14.0-284.71.1.rt14.356.el9_2 | RHSA-2024:4106 | 2024-06-26T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected |
| Red Hat Enterprise Linux 7 | kernel | Out of support scope |
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope |
| Red Hat Enterprise Linux 9 | kernel-rt | Affected |
Apply commands
yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rtAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 6.1.90-1 |
| debian | bullseye | fixed | 5.10.216-1 |
| debian | forky | fixed | 6.8.9-1 |
| debian | sid | fixed | 6.8.9-1 |
| debian | trixie | fixed | 6.8.9-1 |
| debian | 10.0 | affected | |
| linux-kernel | affected | 5.10.216 | |
| linux-kernel | 6.9 | affected | |
| almalinux | 8 | fixed | kernel-abi-stablelists-4.18.0-553.8.1.el8_10.noarch.rpm |
| almalinux | 9 | fixed | kernel-headers-5.14.0-427.26.1.el9_4.aarch64.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:4583
- https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1
- https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7
- https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0
- https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde
- https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d
- https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://cert-portal.siemens.com/productcert/html/ssa-613116.html
- https://errata.rockylinux.org/RXSA-2024:4211
- https://errata.rockylinux.org/RLSA-2024:4352
- https://errata.rockylinux.org/RLSA-2024:4211
- https://www.suse.com/security/cve/CVE-2024-35958.html
- https://errata.rockylinux.org/RLSA-2024:4583
- https://security-tracker.debian.org/tracker/CVE-2024-35958
- https://access.redhat.com/errata/RHSA-2024:4211
- https://bugzilla.redhat.com/1918601
- https://bugzilla.redhat.com/2248122
- https://bugzilla.redhat.com/2258875
- https://bugzilla.redhat.com/2265517
- https://bugzilla.redhat.com/2265519
- https://bugzilla.redhat.com/2265520
- https://bugzilla.redhat.com/2265800
- https://bugzilla.redhat.com/2266408
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.