{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ionic: fix use after netif_napi_del()",
    "id" : "2297474",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297474"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nionic: fix use after netif_napi_del()\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\nReproducer:\nethtool -L <interface name> rx 1 tx 1 combined 0\nethtool -L <interface name> rx 0 tx 0 combined 1\nethtool -L <interface name> rx 0 tx 0 combined 4\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS:  0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? die+0x33/0x90\n? do_trap+0xd9/0x100\n? napi_enable+0x3b/0x40\n? do_error_trap+0x83/0xb0\n? napi_enable+0x3b/0x40\n? napi_enable+0x3b/0x40\n? exc_invalid_op+0x4e/0x70\n? napi_enable+0x3b/0x40\n? asm_exc_invalid_op+0x16/0x20\n? napi_enable+0x3b/0x40\nionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\nprocess_one_work+0x145/0x360\nworker_thread+0x2bb/0x3d0\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcc/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2d/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30", "A vulnerability was found in the Linux kernel's Ionic driver in the ionic_qcq_enable() function, where the issue arises when the driver fails to reset the .poll pointer to NULL after a queue is unregistered via netif_napi_del(), leading to a use-after-free scenario when attempting to enable a previously unregistered NAPI, which result in kernel crashes or invalid opcode errors." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5102",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5101",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.16.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5266",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.138.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5282",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4::nfv",
    "package" : "kernel-rt-0:4.18.0-305.138.1.rt7.214.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5266",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.4",
    "package" : "kernel-0:4.18.0-305.138.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5266",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.4",
    "package" : "kernel-0:4.18.0-305.138.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-09-03T00:00:00Z",
    "advisory" : "RHSA-2024:6206",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.70.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-16T00:00:00Z",
    "advisory" : "RHSA-2024:8162",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.40.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-16T00:00:00Z",
    "advisory" : "RHSA-2024:8162",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.40.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5257",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.112.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5256",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.112.1.rt21.184.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6267",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.82.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6268",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.82.1.rt14.367.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-39502\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39502\nhttps://lore.kernel.org/linux-cve-announce/2024071204-CVE-2024-39502-afe9@gregkh/T" ],
  "name" : "CVE-2024-39502",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}