{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39502", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-25T14:23:23.752Z", "datePublished": "2024-07-12T12:20:35.635Z", "dateUpdated": "2024-11-05T09:32:33.208Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:32:33.208Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_lif.c"], "versions": [{"version": "0f3154e6bcb3", "lessThan": "0d19267cb150", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "ff9c2a9426ec", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "8edd18dab443", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "60cd714871cd", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "183ebc167a8a", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "a87d72b37b9e", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "79f18a41dd05", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_lif.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.279", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"}, {"url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"}, {"url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"}, {"url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"}, {"url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"}, {"url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"}, {"url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"}], "title": "ionic: fix use after netif_napi_del()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.603Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:07:07.252622Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:40.350Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39502", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-25T14:23:23.752Z", "datePublished": "2024-07-12T12:20:35.635Z", "dateUpdated": "2024-08-02T04:26:15.603Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:50:48.621Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_lif.c"], "versions": [{"version": "0f3154e6bcb3", "lessThan": "0d19267cb150", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "ff9c2a9426ec", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "8edd18dab443", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "60cd714871cd", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "183ebc167a8a", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "a87d72b37b9e", "status": "affected", "versionType": "git"}, {"version": "0f3154e6bcb3", "lessThan": "79f18a41dd05", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_lif.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.279", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"}, {"url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"}, {"url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"}, {"url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"}, {"url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"}, {"url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"}, {"url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"}], "title": "ionic: fix use after netif_napi_del()", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:07:07.252622Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-09-11T12:42:25.117Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ionic: corrige el use after de netif_napi_del() Cuando se inician las colas, se llama a netif_napi_add() y napi_enable(). Si hay 4 colas y solo se utilizan 3 colas para la configuraci\u00f3n actual, solo se deben registrar y habilitar napi de 3 colas. ionic_qcq_enable() comprueba si el puntero .poll no es NULL para habilitar solo el napi de la cola de uso. netif_napi_add() no registrar\u00e1 el napi de las colas no utilizadas, por lo que el puntero .poll indica NULL. Pero no pudo distinguir si el napi no estaba registrado o no porque netif_napi_del() no restablece el puntero .poll a NULL. Entonces, ionic_qcq_enable() llama a napi_enable() para la cola, que netif_napi_del() cancel\u00f3 el registro. Reproductor: ethtool -L rx 1 tx 1 combinado 0 ethtool -L rx 0 tx 0 combinado 1 ethtool -L rx 0 tx 0 combinado 4 Splat se parece a: kernel ERROR en net/ n\u00facleo/dev.c:6666! Vaya: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 No contaminado 6.10.0-rc2+ #16 Cola de trabajo: eventos ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/ 0x40 C\u00f3digo: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 10246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 00000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: 13ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS :0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 5555554 Seguimiento de llamadas: ? morir+0x33/0x90? do_trap+0xd9/0x100? napi_enable+0x3b/0x40? do_error_trap+0x83/0xb0? napi_enable+0x3b/0x40? napi_enable+0x3b/0x40? exc_invalid_op+0x4e/0x70? napi_enable+0x3b/0x40? asm_exc_invalid_op+0x16/0x20? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224 ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a03543 6e1c4224ff7d10789e3f14643f8] proceso_one_work+0x145/0x360 trabajador_thread+0x2bb/ 0x3d0? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30"}], "id": "CVE-2024-39502", "lastModified": "2024-11-21T09:27:50.257", "metrics": {}, "published": "2024-07-12T13:15:12.680", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5266", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "kernel-0:4.18.0-305.138.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5282", "cpe": "cpe:/a:redhat:rhel_tus:8.4::nfv", "package": "kernel-rt-0:4.18.0-305.138.1.rt7.214.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5266", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "kernel-0:4.18.0-305.138.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5266", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kernel-0:4.18.0-305.138.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:6206", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.70.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:8162", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.40.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:8162", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.40.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:5257", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "kernel-0:5.14.0-70.112.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5256", "cpe": "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.112.1.rt21.184.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:6267", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.82.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6268", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.82.1.rt14.367.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-04T00:00:00Z"}], "bugzilla": {"description": "kernel: ionic: fix use after netif_napi_del()", "id": "2297474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297474"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nionic: fix use after netif_napi_del()\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\nReproducer:\nethtool -L <interface name> rx 1 tx 1 combined 0\nethtool -L <interface name> rx 0 tx 0 combined 1\nethtool -L <interface name> rx 0 tx 0 combined 4\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? die+0x33/0x90\n? do_trap+0xd9/0x100\n? napi_enable+0x3b/0x40\n? do_error_trap+0x83/0xb0\n? napi_enable+0x3b/0x40\n? napi_enable+0x3b/0x40\n? exc_invalid_op+0x4e/0x70\n? napi_enable+0x3b/0x40\n? asm_exc_invalid_op+0x16/0x20\n? napi_enable+0x3b/0x40\nionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nprocess_one_work+0x145/0x360\nworker_thread+0x2bb/0x3d0\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcc/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2d/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39502", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39502\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39502\nhttps://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39502-afe9@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.4.279, kernel 5.10.221, kernel 5.15.162, kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4"}