Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-50040

Description

In the Linux kernel, the following vulnerability has been resolved:igb: Do not bring the device up after non-fatal errorCommit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")changed igb_io_error_detected() to ignore non-fatal pcie errors in orderto avoid hung task that can happen when igb_down() is called multipletimes. This caused an issue when processing transient non-fatal errors.igb_io_resume(), which is called after igb_io_error_detected(), assumesthat device is brought down by igb_io_error_detected() if the interfaceis up. This resulted in panic with stacktrace below.[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message[ T292] ------------[ cut here ]------------[ T292] kernel BUG at net/core/dev.c:6539![ T292] invalid opcode: 0000 [#1] PREEMPT SMP[ T292] RIP: 0010:napi_enable+0x37/0x40[ T292] Call Trace:[ T292] [ T292] ? die+0x33/0x90[ T292] ? do_trap+0xdc/0x110[ T292] ? napi_enable+0x37/0x40[ T292] ? do_error_trap+0x70/0xb0[ T292] ? napi_enable+0x37/0x40[ T292] ? napi_enable+0x37/0x40[ T292] ? exc_invalid_op+0x4e/0x70[ T292] ? napi_enable+0x37/0x40[ T292] ? asm_exc_invalid_op+0x16/0x20[ T292] ? napi_enable+0x37/0x40[ T292] igb_up+0x41/0x150[ T292] igb_io_resume+0x25/0x70[ T292] report_resume+0x54/0x70[ T292] ? report_frozen_detected+0x20/0x20[ T292] pci_walk_bus+0x6c/0x90[ T292] ? aer_print_port_info+0xa0/0xa0[ T292] pcie_do_recovery+0x22f/0x380[ T292] aer_process_err_devices+0x110/0x160[ T292] aer_isr+0x1c1/0x1e0[ T292] ? disable_irq_nosync+0x10/0x10[ T292] irq_thread_fn+0x1a/0x60[ T292] irq_thread+0xe3/0x1a0[ T292] ? irq_set_affinity_notifier+0x120/0x120[ T292] ? irq_affinity_notify+0x100/0x100[ T292] kthread+0xe2/0x110[ T292] ? kthread_complete_and_exit+0x20/0x20[ T292] ret_from_fork+0x2d/0x50[ T292] ? kthread_complete_and_exit+0x20/0x20[ T292] ret_from_fork_asm+0x11/0x20[ T292] To fix this issue igb_io_resume() checks if the interface is running andthe device is not down this means igb_io_error_detected() did not bringthe device down and there is no need to bring it up.

POC

Reference

No PoCs from references.

Github

- https://github.com/w4zu/Debian_security