CVE-2024-50042: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2024-50042

In the Linux kernel, the following vulnerability has been resolved: ice: Fix increasing MSI-X on VF Increasing MSI-X value on a VF leads to invalid memory operations. This is caused by not reallocating some arrays. Reproducer: modprobe ice echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count Default MSI-X is 16, so 17 and above triggers this issue. KASAN reports: BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] Read of size 8 at addr ffff8888b937d180 by task bash/28433 (...) Call Trace: (...) ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] kasan_report+0xed/0x120 ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_cfg_def+0x3360/0x4770 [ice] ? mutex_unlock+0x83/0xd0 ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice] ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice] ice_vsi_cfg+0x7f/0x3b0 [ice] ice_vf_reconfig_vsi+0x114/0x210 [ice] ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice] sriov_vf_msix_count_store+0x21c/0x300 (...) Allocated by task 28201: (...) ice_vsi_cfg_def+0x1c8e/0x4770 [ice] ice_vsi_cfg+0x7f/0x3b0 [ice] ice_vsi_setup+0x179/0xa30 [ice] ice_sriov_configure+0xcaa/0x1520 [ice] sriov_numvfs_store+0x212/0x390 (...) To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This causes the required arrays to be reallocated taking the new queue count into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq before ice_vsi_rebuild(), so that realloc uses the newly set queue count. Additionally, ice_vsi_rebuild() does not remove VSI filters (ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer necessary.

AI Analysis

Technical Summary

CVE-2024-50042 is a vulnerability identified in the Linux kernel's 'ice' network driver, which manages Intel Ethernet devices. The flaw arises when the MSI-X (Message Signaled Interrupts eXtended) count for a Virtual Function (VF) is increased beyond the default maximum of 16 without proper reallocation of internal data structures. Specifically, increasing the MSI-X count to 17 or more triggers invalid memory operations due to the failure to reallocate certain arrays that track queue statistics. This leads to out-of-bounds memory accesses, as detected by Kernel Address Sanitizer (KASAN), which reports slab-out-of-bounds errors during the allocation of ring statistics structures. The root cause is the use of the function ice_vf_reconfig_vsi() which does not handle reallocation correctly. The fix involves replacing this with ice_vsi_rebuild(), which reallocates arrays properly by considering the new queue counts set beforehand. Additionally, the fix removes the need for a separate filter removal step (ice_fltr_remove_all()) since ice_vsi_rebuild() does not remove VSI filters. The vulnerability can be reproduced by loading the ice module, disabling SR-IOV driver autoprobe, enabling one VF, and setting the VF MSI-X count to 17 or higher. While no known exploits are reported in the wild, the issue can cause kernel crashes or memory corruption, potentially leading to denial of service or privilege escalation if exploited. The vulnerability affects specific Linux kernel versions identified by commit hashes, indicating it is present in recent development or stable branches using the ice driver. No CVSS score is assigned yet, but the technical details and patch guidance are published as of October 21, 2024.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to systems using Intel Ethernet devices managed by the ice driver, especially those leveraging SR-IOV (Single Root I/O Virtualization) for virtualized network functions. Data centers, cloud providers, and enterprises with virtualized infrastructure relying on Linux servers with affected network cards could experience kernel crashes or instability if the MSI-X count is manipulated maliciously or accidentally. This could lead to denial of service conditions, impacting availability of critical services. In worst cases, memory corruption might be leveraged for privilege escalation or arbitrary code execution, threatening confidentiality and integrity. Given the widespread use of Linux in European government, finance, telecom, and industrial sectors, the vulnerability could disrupt essential services or expose sensitive data if exploited. However, exploitation requires specific conditions such as the ability to modify VF MSI-X counts, which may limit attack vectors to privileged users or attackers with access to virtualized environments. Nonetheless, the presence of this flaw in kernel networking code makes it a significant concern for infrastructure stability and security in Europe’s highly virtualized and cloud-dependent IT environments.

Mitigation Recommendations

European organizations should promptly apply Linux kernel updates that include the patch replacing ice_vf_reconfig_vsi() with ice_vsi_rebuild() to ensure proper memory allocation when changing MSI-X counts on VFs. System administrators should audit and restrict permissions to prevent unauthorized modification of SR-IOV VF MSI-X counts, limiting this capability to trusted administrators only. Monitoring kernel logs for KASAN or slab-out-of-bounds errors related to the ice driver can help detect attempts to trigger this vulnerability. Virtualized environments should be reviewed to ensure that VF configurations do not exceed default MSI-X counts unnecessarily. Network device firmware and driver versions should be verified against vendor advisories to confirm they incorporate the fix. Additionally, organizations should implement strict access controls and network segmentation to reduce the risk of attackers gaining the required privileges to exploit this issue. Regular vulnerability scanning and patch management processes must prioritize this kernel update due to its potential impact on availability and security of network infrastructure.