CVE-2024-39506
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
but then it is unconditionally passed to skb_add_rx_frag() which looks
strange and could lead to null pointer dereference.
lio_vf_rep_copy_packet() call trace looks like:
octeon_droq_process_packets
octeon_droq_fast_process_packets
octeon_droq_dispatch_pkt
octeon_create_recv_info
...search in the dispatch_list...
->disp_fn(rdisp->rinfo, ...)
lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
In this path there is no code which sets pg_info->page to NULL.
So this check looks unneeded and doesn't solve potential problem.
But I guess the author had reason to add a check and I have no such card
and can't do real test.
In addition, the code in the function liquidio_push_packet() in
liquidio/lio_core.c does exactly the same.
Based on this, I consider the most acceptable compromise solution to
adjust this issue by moving skb_add_rx_frag() into conditional scope.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-25 CVE Reserved
- 2024-07-12 CVE Published
- 2024-08-29 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/1f233f327913f3dee0602cba9c64df1903772b55 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-39506 | 2024-09-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2297478 | 2024-09-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 4.19.317 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.317" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.4.279" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.10.221" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.15.162" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.1.95" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.6.35" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.9.6" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.10" | en |
Affected
| ||||||