{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-46766",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-09-11T15:12:18.273Z",
        "datePublished": "2024-09-18T07:12:25.353Z",
        "dateUpdated": "2024-09-29T14:42:45.913Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-09-18T07:12:25.353Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: move netif_queue_set_napi to rtnl-protected sections\n\nCurrently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is\nnot rtnl-locked when called from the reset. This creates the need to take\nthe rtnl_lock just for a single function and complicates the\nsynchronization with .ndo_bpf. At the same time, there no actual need to\nfill napi-to-queue information at this exact point.\n\nFill napi-to-queue information when opening the VSI and clear it when the\nVSI is being closed. Those routines are already rtnl-locked.\n\nAlso, rewrite napi-to-queue assignment in a way that prevents inclusion of\nXDP queues, as this leads to out-of-bounds writes, such as one below.\n\n[  +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047\n[  +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2\n[  +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021\n[  +0.000003] Call Trace:\n[  +0.000003]  <TASK>\n[  +0.000002]  dump_stack_lvl+0x60/0x80\n[  +0.000007]  print_report+0xce/0x630\n[  +0.000007]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  +0.000007]  ? __virt_addr_valid+0x1c9/0x2c0\n[  +0.000005]  ? netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000003]  kasan_report+0xe9/0x120\n[  +0.000004]  ? netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000004]  netif_queue_set_napi+0x1c2/0x1e0\n[  +0.000005]  ice_vsi_close+0x161/0x670 [ice]\n[  +0.000114]  ice_dis_vsi+0x22f/0x270 [ice]\n[  +0.000095]  ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice]\n[  +0.000086]  ice_prepare_for_reset+0x299/0x750 [ice]\n[  +0.000087]  pci_dev_save_and_disable+0x82/0xd0\n[  +0.000006]  pci_reset_function+0x12d/0x230\n[  +0.000004]  reset_store+0xa0/0x100\n[  +0.000006]  ? __pfx_reset_store+0x10/0x10\n[  +0.000002]  ? __pfx_mutex_lock+0x10/0x10\n[  +0.000004]  ? __check_object_size+0x4c1/0x640\n[  +0.000007]  kernfs_fop_write_iter+0x30b/0x4a0\n[  +0.000006]  vfs_write+0x5d6/0xdf0\n[  +0.000005]  ? fd_install+0x180/0x350\n[  +0.000005]  ? __pfx_vfs_write+0x10/0xA10\n[  +0.000004]  ? do_fcntl+0x52c/0xcd0\n[  +0.000004]  ? kasan_save_track+0x13/0x60\n[  +0.000003]  ? kasan_save_free_info+0x37/0x60\n[  +0.000006]  ksys_write+0xfa/0x1d0\n[  +0.000003]  ? __pfx_ksys_write+0x10/0x10\n[  +0.000002]  ? __x64_sys_fcntl+0x121/0x180\n[  +0.000004]  ? _raw_spin_lock+0x87/0xe0\n[  +0.000005]  do_syscall_64+0x80/0x170\n[  +0.000007]  ? _raw_spin_lock+0x87/0xe0\n[  +0.000004]  ? __pfx__raw_spin_lock+0x10/0x10\n[  +0.000003]  ? file_close_fd_locked+0x167/0x230\n[  +0.000005]  ? syscall_exit_to_user_mode+0x7d/0x220\n[  +0.000005]  ? do_syscall_64+0x8c/0x170\n[  +0.000004]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? fput+0x1a/0x2c0\n[  +0.000004]  ? filp_close+0x19/0x30\n[  +0.000004]  ? do_dup2+0x25a/0x4c0\n[  +0.000004]  ? __x64_sys_dup2+0x6e/0x2e0\n[  +0.000002]  ? syscall_exit_to_user_mode+0x7d/0x220\n[  +0.000004]  ? do_syscall_64+0x8c/0x170\n[  +0.000003]  ? __count_memcg_events+0x113/0x380\n[  +0.000005]  ? handle_mm_fault+0x136/0x820\n[  +0.000005]  ? do_user_addr_fault+0x444/0xa80\n[  +0.000004]  ? clear_bhb_loop+0x25/0x80\n[  +0.000004]  ? clear_bhb_loop+0x25/0x80\n[  +0.000002]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  +0.000005] RIP: 0033:0x7f2033593154"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/net/ethernet/intel/ice/ice_base.c",
                        "drivers/net/ethernet/intel/ice/ice_lib.c",
                        "drivers/net/ethernet/intel/ice/ice_lib.h",
                        "drivers/net/ethernet/intel/ice/ice_main.c"
                    ],
                    "versions": [
                        {
                            "version": "080b0c8d6d26",
                            "lessThan": "2285c2faef19",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "080b0c8d6d26",
                            "lessThan": "2a5dc090b92c",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/net/ethernet/intel/ice/ice_base.c",
                        "drivers/net/ethernet/intel/ice/ice_lib.c",
                        "drivers/net/ethernet/intel/ice/ice_lib.h",
                        "drivers/net/ethernet/intel/ice/ice_main.c"
                    ],
                    "versions": [
                        {
                            "version": "6.8",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "6.8",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.10.10",
                            "lessThanOrEqual": "6.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.11",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/2285c2faef19ee08a6bd6754f4c3ec07dceb2889"
                },
                {
                    "url": "https://git.kernel.org/stable/c/2a5dc090b92cfa5270e20056074241c6db5c9cdd"
                }
            ],
            "title": "ice: move netif_queue_set_napi to rtnl-protected sections",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-09-29T14:42:30.909081Z",
                                "id": "CVE-2024-46766",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-29T14:42:45.913Z"
                }
            }
        ]
    }
}