CVE-2024-49980

Summary

In the Linux kernel, the following vulnerability has been resolved:

vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.

dev_queue_xmit_nit is expected to be called with BH disabled. __dev_queue_xmit has the following:

    /* Disable soft irqs for various locks below. Also
     * stops preemption for RCU.
     */
    rcu_read_lock_bh();

VRF must follow this invariant. The referenced commit removed this protection. Which triggered a lockdep warning:

================================
WARNING: inconsistent lock state
6.11.0 #1 Tainted: G        W
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
{IN-SOFTIRQ-W} state was registered at:
  lock_acquire+0x19a/0x4f0
  _raw_spin_lock+0x27/0x40
  packet_rcv+0xa33/0x1320
  __netif_receive_skb_core.constprop.0+0xcb0/0x3a90
  __netif_receive_skb_list_core+0x2c9/0x890
  netif_receive_skb_list_internal+0x610/0xcc0
      [...]

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(rlock-AF_PACKET);
  <Interrupt>
    lock(rlock-AF_PACKET);

 *** DEADLOCK ***

Call Trace:
 <TASK>
 dump_stack_lvl+0x73/0xa0
 mark_lock+0x102e/0x16b0
 __lock_acquire+0x9ae/0x6170
 lock_acquire+0x19a/0x4f0
 _raw_spin_lock+0x27/0x40
 tpacket_rcv+0x863/0x3b30
 dev_queue_xmit_nit+0x709/0xa40
 vrf_finish_direct+0x26e/0x340 [vrf]
 vrf_l3_out+0x5f4/0xe80 [vrf]
 __ip_local_out+0x51e/0x7a0
      [...]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux504fc6f4f7f681d2a03aa5f68aad549d90eab853 < 718a752bd746b3f4dd62516bb437baf73d548415affected
LinuxLinux504fc6f4f7f681d2a03aa5f68aad549d90eab853 < 8c9381b3138246d46536db93ed696832abd70204affected
LinuxLinux504fc6f4f7f681d2a03aa5f68aad549d90eab853 < e61f8c4d179b2ffc0d3b7f821c3734be738643d0affected
LinuxLinux504fc6f4f7f681d2a03aa5f68aad549d90eab853 < b04c4d9eb4f25b950b33218e33b04c94e7445e51affected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.6.55 <= 6.6.*unaffected
LinuxLinux6.10.14 <= 6.10.*unaffected
LinuxLinux6.11.3 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References