fkie_cve-2024-35981
Vulnerability from fkie_nvd
Published
2024-05-20 10:15
Modified
2025-01-16 17:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Do not send RSS key if it is not supported
There is a bug when setting the RSS options in virtio_net that can break
the whole machine, getting the kernel into an infinite loop.
Running the following command in any QEMU virtual machine with virtionet
will reproduce this problem:
# ethtool -X eth0 hfunc toeplitz
This is how the problem happens:
1) ethtool_set_rxfh() calls virtnet_set_rxfh()
2) virtnet_set_rxfh() calls virtnet_commit_rss_command()
3) virtnet_commit_rss_command() populates 4 entries for the rss
scatter-gather
4) Since the command above does not have a key, then the last
scatter-gatter entry will be zeroed, since rss_key_size == 0.
sg_buf_size = vi->rss_key_size;
5) This buffer is passed to qemu, but qemu is not happy with a buffer
with zero length, and do the following in virtqueue_map_desc() (QEMU
function):
if (!sz) {
virtio_error(vdev, "virtio: zero sized buffers are not allowed");
6) virtio_error() (also QEMU function) set the device as broken
vdev->broken = true;
7) Qemu bails out, and do not repond this crazy kernel.
8) The kernel is waiting for the response to come back (function
virtnet_send_command())
9) The kernel is waiting doing the following :
while (!virtqueue_get_buf(vi->cvq, &tmp) &&
!virtqueue_is_broken(vi->cvq))
cpu_relax();
10) None of the following functions above is true, thus, the kernel
loops here forever. Keeping in mind that virtqueue_is_broken() does
not look at the qemu `vdev->broken`, so, it never realizes that the
vitio is broken at QEMU side.
Fix it by not sending RSS commands if the feature is not available in
the device.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.9 | |
| linux | linux_kernel | 6.9 | |
| linux | linux_kernel | 6.9 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "E7EA63C6-6BB3-46BD-BB05-AD28AC270B01", versionEndExcluding: "6.1.90", versionStartIncluding: "5.18", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "0999E154-1E68-41FA-8DE3-9A735E382224", versionEndExcluding: "6.6.29", versionStartIncluding: "6.2", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "531BDFB5-EF6A-4707-902E-146368303499", versionEndExcluding: "6.8.7", versionStartIncluding: "6.7", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", matchCriteriaId: "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", matchCriteriaId: "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", matchCriteriaId: "52048DDA-FC5A-4363-95A0-A6357B4D7F8C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Do not send RSS key if it is not supported\n\nThere is a bug when setting the RSS options in virtio_net that can break\nthe whole machine, getting the kernel into an infinite loop.\n\nRunning the following command in any QEMU virtual machine with virtionet\nwill reproduce this problem:\n\n # ethtool -X eth0 hfunc toeplitz\n\nThis is how the problem happens:\n\n1) ethtool_set_rxfh() calls virtnet_set_rxfh()\n\n2) virtnet_set_rxfh() calls virtnet_commit_rss_command()\n\n3) virtnet_commit_rss_command() populates 4 entries for the rss\nscatter-gather\n\n4) Since the command above does not have a key, then the last\nscatter-gatter entry will be zeroed, since rss_key_size == 0.\nsg_buf_size = vi->rss_key_size;\n\n5) This buffer is passed to qemu, but qemu is not happy with a buffer\nwith zero length, and do the following in virtqueue_map_desc() (QEMU\nfunction):\n\n if (!sz) {\n virtio_error(vdev, \"virtio: zero sized buffers are not allowed\");\n\n6) virtio_error() (also QEMU function) set the device as broken\n\n vdev->broken = true;\n\n7) Qemu bails out, and do not repond this crazy kernel.\n\n8) The kernel is waiting for the response to come back (function\nvirtnet_send_command())\n\n9) The kernel is waiting doing the following :\n\n while (!virtqueue_get_buf(vi->cvq, &tmp) &&\n\t !virtqueue_is_broken(vi->cvq))\n\t cpu_relax();\n\n10) None of the following functions above is true, thus, the kernel\nloops here forever. Keeping in mind that virtqueue_is_broken() does\nnot look at the qemu `vdev->broken`, so, it never realizes that the\nvitio is broken at QEMU side.\n\nFix it by not sending RSS commands if the feature is not available in\nthe device.", }, { lang: "es", value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio_net: no enviar clave RSS si no es compatible. Hay un error al configurar las opciones de RSS en virtio_net que puede dañar toda la máquina, haciendo que el kernel entre en un bucle infinito. Ejecutar el siguiente comando en cualquier máquina virtual QEMU con virtionet reproducirá este problema: # ethtool -X eth0 hfunc toeplitz Así es como ocurre el problema: 1) ethtool_set_rxfh() llama a virtnet_set_rxfh() 2) virtnet_set_rxfh() llama a virtnet_commit_rss_command() 3) virtnet_commit_rss_command() completa 4 entradas para rss scatter-gather 4) Dado que el comando anterior no tiene una clave, la última entrada de scatter-gatter se pondrá a cero, ya que rss_key_size == 0. sg_buf_size = vi->rss_key_size; 5) Este búfer se pasa a qemu, pero qemu no está contento con un búfer con longitud cero, y haga lo siguiente en virtqueue_map_desc() (función QEMU): if (!sz) { virtio_error(vdev, \"virtio: buffers de tamaño cero no están permitidos\"); 6) virtio_error() (también función QEMU) configura el dispositivo como roto vdev->broken = true; 7) Qemu se retira y no responde a este kernel loco. 8) El kernel está esperando a que regrese la respuesta (función virtnet_send_command()) 9) El kernel está esperando haciendo lo siguiente: while (!virtqueue_get_buf(vi->cvq, &tmp) && !virtqueue_is_broken(vi->cvq)) cpu_relax(); 10) Ninguna de las siguientes funciones anteriores es verdadera, por lo tanto, el núcleo se repite aquí para siempre. Teniendo en cuenta que virtqueue_is_broken() no mira el qemu `vdev->broken`, por lo tanto, nunca se da cuenta de que el vitio está roto en el lado de QEMU. Solucionelo no enviando comandos RSS si la función no está disponible en el dispositivo.", }, ], id: "CVE-2024-35981", lastModified: "2025-01-16T17:22:05.630", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-05-20T10:15:12.617", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-835", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.