CVE-2024-40907 - OpenCVE

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363
https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21
https://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40907-5305@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-40907
https://www.cve.org/CVERecord?id=CVE-2024-40907

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.10:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc2::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40907", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.580Z", "datePublished": "2024-07-12T12:20:47.151Z", "dateUpdated": "2024-09-11T17:34:37.786Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:13.743Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic in XDP_TX action\n\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\n\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_txrx.c"], "versions": [{"version": "8eeed8373e1c", "lessThan": "8812aa35f3e9", "status": "affected", "versionType": "git"}, {"version": "8eeed8373e1c", "lessThan": "491aee894a08", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_txrx.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21"}, {"url": "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363"}], "title": "ionic: fix kernel panic in XDP_TX action", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.283Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:06:15.613289Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:37.786Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.283Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:06:15.613289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:24.879Z"}}], "cna": {"title": "ionic: fix kernel panic in XDP_TX action", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8eeed8373e1c", "lessThan": "8812aa35f3e9", "versionType": "git"}, {"status": "affected", "version": "8eeed8373e1c", "lessThan": "491aee894a08", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_txrx.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "custom"}, {"status": "unaffected", "version": "6.9.6", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/pensando/ionic/ionic_txrx.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21"}, {"url": "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic in XDP_TX action\n\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\n\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:13.743Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40907", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:37.786Z", "dateReserved": "2024-07-12T12:17:45.580Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:20:47.151Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2E0E6CD-2DC0-4E5C-9037-9A023960B2F9", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic in XDP_TX action\n\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\n\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ionic: corrige el p\u00e1nico del kernel en la acci\u00f3n XDP_TX En la ruta XDP_TX, el controlador ionic env\u00eda un paquete a la ruta TX con la p\u00e1gina rx y la direcci\u00f3n dma correspondiente. Una vez finalizada la transmisi\u00f3n, ionic_tx_clean() libera esa p\u00e1gina. Pero el b\u00fafer de anillo RX no se restablece a NULL. Por lo tanto, utiliza una p\u00e1gina liberada, lo que provoca p\u00e1nico en el kernel. ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffff8881576c110c PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060 Ups: Ups: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI CPU: 1 PID: 25 Comunicaciones: ksoftirqd/1 No contaminado 6.9. 0+ #11 Nombre del hardware: Nombre del producto del sistema ASUS/PRIME Z690-P D4, BIOS 0603 01/11/2021 RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f C\u00f3digo: 00 53 41 55 41 56 41 57 b8 01 0 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8 RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283 RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002 RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e RBP: ffff888104e6fa88 R08: 0000000000000000 R09 : ffffed1027a04a23 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8 R13: ffff8881589f800f R14: ffff8881576c1100 R15: 0001576c1100 FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0 PKRU: 55555554 Seguimiento de llamadas: ? __morir+0x20/0x70 ? page_fault_oops+0x254/0x790? __pfx_page_fault_oops+0x10/0x10? __pfx_is_prefetch.constprop.0+0x10/0x10 ? search_bpf_extables+0x165/0x260? fixup_exception+0x4a/0x970? exc_page_fault+0xcb/0xe0? asm_exc_page_fault+0x22/0x30? 0xffffffffc0051f64? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f? do_raw_spin_unlock+0x54/0x220 ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]? ionic_tx_clean+0x29b/0xc60 [i\u00f3nico 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] x_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x7e7/0xc30 ? __pfx_net_rx_action+0x10/0x10"}], "id": "CVE-2024-40907", "lastModified": "2024-08-29T14:48:30.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:13.987", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ionic: fix kernel panic in XDP_TX action", "id": "2297491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297491"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nionic: fix kernel panic in XDP_TX action\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40907", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40907\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40907\nhttps://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40907-5305@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.9.6, kernel 6.10-rc3"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object