In the Linux kernel, the following vulnerability has been resolved:
net: napi: Prevent overflow of napi_defer_hard_irqs
In commit 6f8b12d661d0 ("net: napi: add hard irqs deferral feature")
napi_defer_irqs was added to net_device and napi_defer_irqs_count was
added to napi_struct, both as type int.
This value never goes below zero, so there is not reason for it to be a
signed int. Change the type for both from int to u32, and add an
overflow check to sysfs to limit the value to S32_MAX.
The limit of S32_MAX was chosen because the practical limit before this
patch was S32_MAX (anything larger was an overflow) and thus there are
no behavioral changes introduced. If the extra bit is needed in the
future, the limit can be raised.
Before this patch:
$ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs'
$ cat /sys/class/net/eth4/napi_defer_hard_irqs
-2147483647
After this patch:
$ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs'
bash: line 0: echo: write error: Numerical result out of range
Similarly, /sys/class/net/XXXXX/tx_queue_len is defined as unsigned:
include/linux/netdevice.h: unsigned int tx_queue_len;
And has an overflow check:
dev_change_tx_queue_len(..., unsigned long new_len):
if (new_len != (unsigned int)new_len)
return -ERANGE;
References
Configurations
Configuration 1 (hide)
|
History
25 Oct 2024, 20:14
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/08062af0a52107a243f7608fd972edb54ca5b7f8 - Patch | |
References | () https://git.kernel.org/stable/c/5e753b743d3b38a3e10be666c32c5434423d0093 - Patch | |
References | () https://git.kernel.org/stable/c/d694ad8b7e5004df86ecd415cb2320d543723672 - Patch | |
Summary | (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: napi: Prevenir el desbordamiento de napi_defer_hard_irqs En el commit 6f8b12d661d0 ("net: napi: agregar característica de aplazamiento de irqs duras") se agregó napi_defer_irqs a net_device y napi_defer_irqs_count a napi_struct, ambos como tipo int. Este valor nunca baja de cero, por lo que no hay razón para que sea un int con signo. Cambie el tipo para ambos de int a u32 y agregue una comprobación de desbordamiento a sysfs para limitar el valor a S32_MAX. El límite de S32_MAX se eligió porque el límite práctico antes de este parche era S32_MAX (cualquier valor mayor era un desbordamiento) y, por lo tanto, no se introdujeron cambios de comportamiento. Si se necesita el bit adicional en el futuro, se puede aumentar el límite. Antes de este parche: $ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs' $ cat /sys/class/net/eth4/napi_defer_hard_irqs -2147483647 Después de este parche: $ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs' bash: línea 0: echo: error de escritura: resultado numérico fuera de rango De manera similar, /sys/class/net/XXXXX/tx_queue_len se define como unsigned: include/linux/netdevice.h: unsigned int tx_queue_len; Y tiene una comprobación de desbordamiento: dev_change_tx_queue_len(..., unsigned long new_len): if (new_len != (unsigned int)new_len) return -ERANGE; | |
First Time |
Linux linux Kernel
Linux |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
CWE | CWE-190 | |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
23 Oct 2024, 15:13
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Oct 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-21 19:15
Updated : 2024-10-25 20:14
NVD link : CVE-2024-50018
Mitre link : CVE-2024-50018
CVE.ORG link : CVE-2024-50018
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-190
Integer Overflow or Wraparound