CVE-2024-56674

{"id": "CVE-2024-56674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-27T15:15:27.313", "references": [{"url": "https://git.kernel.org/stable/c/3ddccbefebdbe0c4c72a248676e4d39ac66a8e26", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b4294d4ac61fbb382811a1d64eaf81f446ce2af4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-672"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: correct netdev_tx_reset_queue() invocation point\n\nWhen virtnet_close is followed by virtnet_open, some TX completions can\npossibly remain unconsumed, until they are finally processed during the\nfirst NAPI poll after the netdev_tx_reset_queue(), resulting in a crash\n[1]. Commit b96ed2c97c79 (\"virtio_net: move netdev_tx_reset_queue() call\nbefore RX napi enable\") was not sufficient to eliminate all BQL crash\ncases for virtio-net.\n\nThis issue can be reproduced with the latest net-next master by running:\n`while :; do ip l set DEV down; ip l set DEV up; done` under heavy network\nTX load from inside the machine.\n\nnetdev_tx_reset_queue() can actually be dropped from virtnet_open path;\nthe device is not stopped in any case. For BQL core part, it's just like\ntraffic nearly ceases to exist for some period. For stall detector added\nto BQL, even if virtnet_close could somehow lead to some TX completions\ndelayed for long, followed by virtnet_open, we can just take it as stall\nas mentioned in commit 6025b9135f7a (\"net: dqs: add NIC stall detector\nbased on BQL\"). Note also that users can still reset stall_max via sysfs.\n\nSo, drop netdev_tx_reset_queue() from virtnet_enable_queue_pair(). This\neliminates the BQL crashes. As a result, netdev_tx_reset_queue() is now\nexplicitly required in freeze/restore path. This patch adds it to\nimmediately after free_unused_bufs(), following the rule of thumb:\nnetdev_tx_reset_queue() should follow any SKB freeing not followed by\nnetdev_tx_completed_queue(). This seems the most consistent and\nstreamlined approach, and now netdev_tx_reset_queue() runs whenever\nfree_unused_bufs() is done.\n\n[1]:\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:99!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 7 UID: 0 PID: 1598 Comm: ip Tainted: G N 6.12.0net-next_main+ #2\nTainted: [N]=TEST\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), \\\nBIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:dql_completed+0x26b/0x290\nCode: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d\n4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff <0f> 0b 01\nd2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff\nRSP: 0018:ffffc900002b0d08 EFLAGS: 00010297\nRAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009\nRDX: 0000000000000000 RSI: 000000000000006a RDI: 0000000000000000\nRBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001\nR13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40\nFS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0\nPKRU: 55555554\nCall Trace:\n <IRQ>\n ? die+0x32/0x80\n ? do_trap+0xd9/0x100\n ? dql_completed+0x26b/0x290\n ? dql_completed+0x26b/0x290\n ? do_error_trap+0x6d/0xb0\n ? dql_completed+0x26b/0x290\n ? exc_invalid_op+0x4c/0x60\n ? dql_completed+0x26b/0x290\n ? asm_exc_invalid_op+0x16/0x20\n ? dql_completed+0x26b/0x290\n __free_old_xmit+0xff/0x170 [virtio_net]\n free_old_xmit+0x54/0xc0 [virtio_net]\n virtnet_poll+0xf4/0xe30 [virtio_net]\n ? __update_load_avg_cfs_rq+0x264/0x2d0\n ? update_curr+0x35/0x260\n ? reweight_entity+0x1be/0x260\n __napi_poll.constprop.0+0x28/0x1c0\n net_rx_action+0x329/0x420\n ? enqueue_hrtimer+0x35/0x90\n ? trace_hardirqs_on+0x1d/0x80\n ? kvm_sched_clock_read+0xd/0x20\n ? sched_clock+0xc/0x30\n ? kvm_sched_clock_read+0xd/0x20\n ? sched_clock+0xc/0x30\n ? sched_clock_cpu+0xd/0x1a0\n handle_softirqs+0x138/0x3e0\n do_softirq.part.0+0x89/0xc0\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0xa7/0xb0\n virtnet_open+0xc8/0x310 [virtio_net]\n __dev_open+0xfa/0x1b0\n __dev_change_flags+0x1de/0x250\n dev_change_flags+0x22/0x60\n do_setlink.isra.0+0x2df/0x10b0\n ? rtnetlink_rcv_msg+0x34f/0x3f0\n ? netlink_rcv_skb+0x54/0x100\n ? netlink_unicas\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio_net: punto de invocaci\u00f3n correcto de netdev_tx_reset_queue() Cuando virtnet_close es seguido por virtnet_open, es posible que algunas finalizaciones de TX permanezcan sin consumir, hasta que finalmente se procesen durante el primer sondeo NAPI despu\u00e9s de netdev_tx_reset_queue(), lo que resulta en un bloqueo [1]. el commit b96ed2c97c79 (\"virtio_net: mover la llamada netdev_tx_reset_queue() antes de la habilitaci\u00f3n de napi RX\") no fue suficiente para eliminar todos los casos de bloqueo de BQL para virtio-net. Este problema se puede reproducir con el \u00faltimo maestro net-next ejecutando: `while :; do ip l set DEV down; ip l set DEV up; done` bajo una carga de TX de red pesada desde el interior de la m\u00e1quina. netdev_tx_reset_queue() en realidad se puede eliminar de la ruta virtnet_open; el dispositivo no se detiene en ning\u00fan caso. Para la parte principal de BQL, es como si el tr\u00e1fico casi dejara de existir durante un per\u00edodo. Para el detector de bloqueo agregado a BQL, incluso si virtnet_close pudiera de alguna manera provocar que algunas finalizaciones de TX se retrasaran durante mucho tiempo, seguido de virtnet_open, podemos simplemente tomarlo como un bloqueo como se menciona en el commit 6025b9135f7a (\"net: dqs: agregar detector de bloqueo de NIC basado en BQL\"). Tenga en cuenta tambi\u00e9n que los usuarios a\u00fan pueden restablecer stall_max a trav\u00e9s de sysfs. Por lo tanto, elimine netdev_tx_reset_queue() de virtnet_enable_queue_pair(). Esto elimina los bloqueos de BQL. Como resultado, netdev_tx_reset_queue() ahora se requiere expl\u00edcitamente en la ruta de congelamiento/restauraci\u00f3n. Este parche lo agrega inmediatamente despu\u00e9s de free_unused_bufs(), siguiendo la regla general: netdev_tx_reset_queue() debe seguir cualquier liberaci\u00f3n de SKB no seguida por netdev_tx_completed_queue(). Este parece ser el enfoque m\u00e1s consistente y optimizado, y ahora netdev_tx_reset_queue() se ejecuta siempre que se realiza free_unused_bufs(). [1]: ------------[ corte aqu\u00ed ]------------ \u00a1ERROR del kernel en lib/dynamic_queue_limits.c:99! Oops: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI CPU: 7 UID: 0 PID: 1598 Comm: ip Contaminado: GN 6.12.0net-next_main+ #2 Contaminado: [N]=TEST Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), \\ BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dql_completed+0x26b/0x290 C\u00f3digo: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d 4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff &lt;0f&gt; 0b 01 d2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff RSP: 0018:ffffc900002b0d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009 RDX: 0000000000000000 RSI: 000000000000006a RDI: 00000000000000000 RBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001 R13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40 FS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0 PKRU: 55555554 Rastreo de llamadas: ? die+0x32/0x80 ? do_trap+0xd9/0x100 ? dql_completed+0x26b/0x290 ? dql_completed+0x26b/0x290 ? do_error_trap+0x6d/0xb0 ? __actualizar_carga_avg_cfs_rq+0x264/0x2d0 ? reweight_entity+0x1be/0x260 __napi_poll.constprop.0+0x28/0x1c0 net_rx_action+0x329/0x420 ? enqueue_hrtimer+0x35/0x90 ? trace_hardirqs_on+0x1d/0x80 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0xc/0x30 ? __local_bh_enable_ip+0xa7/0xb0 virtnet_open+0xc8/0x310 [virtio_net] __dev_open+0xfa/0x1b0 __dev_change_flags+0x1de/0x250 dev_change_flags+0x22/0x60 do_setlink.isra.0+0x2df/0x10b0 ? rtnetlink_rcv_msg+0x34f/0x3f0 ? netlink_rcv_skb+0x54/0x100 ? netlink_unicas ---truncado---"}], "lastModified": "2025-01-06T15:06:43.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97C759FD-3999-4EA7-B961-1CADF641F560", "versionEndExcluding": "6.12.6", "versionStartIncluding": "6.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}