{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values",
    "id" : "2301477",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2301477"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\nhardirqs last  enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\nhardirqs last  enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\nhardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]\nsoftirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\nsoftirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __list_del include/linux/list.h:195 [inline]\npc : __list_del_entry include/linux/list.h:218 [inline]\npc : list_move_tail include/linux/list.h:310 [inline]\npc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\npc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\nlr : __list_del_entry include/linux/list.h:218 [inline]\nlr : list_move_tail include/linux/list.h:310 [inline]\nlr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\nlr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n__list_del include/linux/list.h:195 [inline]\n__list_del_entry include/linux/list.h:218 [inline]\nlist_move_tail include/linux/list.h:310 [inline]\nfq_tin_dequeue include/net/fq_impl.h:112 [inline]\nieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\nwake_tx_push_queue net/mac80211/util.c:294 [inline]\nieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\ndrv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\nschedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\nieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\nieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\nieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n__ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\nieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n__netdev_start_xmit include/linux/netdevice.h:4903 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4917 [inline]\nxmit_one net/core/dev.c:3531 [inline]\ndev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n__dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\ndev_queue_xmit include/linux/netdevice.h:3091 [inline]\nneigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\nneigh_output include/net/neighbour.h:542 [inline]\nip6_fini\n---truncated---", "A vulnerability was found in the cfg80211 component in the Linux kernel, where a lack of proper range validation applied to the NL80211_ATTR_TXQ_QUANTUM can lead to a scenario where the userspace passes an extremely high value that the kernel is not designed to handle efficiently (ex. 2^31). This can cause soft lockups and system instability." ],
  "statement" : "Red Hat believes this flaw is moderate severity because the privileges necessary to effectively trigger this vulnerability require the user to be able to craft and send a Netlink message with the NL80211_ATTR_TXQ_QUANTUM parameter set to an abnormally high value. The permissions necessary to set this value would require CAP_NET_ADMIN.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-04-30T00:00:00Z",
    "advisory" : "RHSA-2025:4342",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.66.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-42114\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42114\nhttps://lore.kernel.org/linux-cve-announce/2024073022-CVE-2024-42114-4585@gregkh/T" ],
  "name" : "CVE-2024-42114",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}