CVE-2024-46770

MEDIUM

Linux Kernel 4.17-6.10.9 NULL Pointer Dereference via Ethtool Coalesce Settings

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/<interface>/device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c <interface> BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: <TASK> ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

https://git.kernel.org/stable/c/721f27f489a47ed0d8690b73fc1f070c2eb180cf

Patch

https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5

Patch

https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723

Patch

https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a

Patch

https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f

Scores

CVSS v3 5.5

EPSS 0.0024

EPSS Percentile 15.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (17)

linux/Kernel 4.17.0 - 6.1.110linux

linux/Kernel 6.2.0 - 6.6.51linux

linux/Kernel 6.7.0 - 6.10.10linux

Linux/Linux < 4.17

Linux/Linux 4.17

Linux/Linux 5.15.209 - 5.15.*

Linux/Linux 6.1.110 - 6.1.*

Linux/Linux 6.10.10 - 6.10.*

Linux/Linux 6.11

Linux/Linux 6.6.51 - 6.6.*

... and 7 more

Published Sep 18, 2024

Tracked Since Feb 18, 2026