In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Do not send RSS key if it is not supported There is a bug when
setting the RSS options in virtio_net that can break the whole machine,
getting the kernel into an infinite loop. Running the following command in
any QEMU virtual machine with virtionet will reproduce this problem: #
ethtool -X eth0 hfunc toeplitz This is how the problem happens: 1)
ethtool_set_rxfh() calls virtnet_set_rxfh() 2) virtnet_set_rxfh() calls
virtnet_commit_rss_command() 3) virtnet_commit_rss_command() populates 4
entries for the rss scatter-gather 4) Since the command above does not have
a key, then the last scatter-gatter entry will be zeroed, since
rss_key_size == 0. sg_buf_size = vi->rss_key_size; 5) This buffer is passed
to qemu, but qemu is not happy with a buffer with zero length, and do the
following in virtqueue_map_desc() (QEMU function): if (!sz) {
virtio_error(vdev, “virtio: zero sized buffers are not allowed”); 6)
virtio_error() (also QEMU function) set the device as broken vdev->broken =
true; 7) Qemu bails out, and do not repond this crazy kernel. 8) The kernel
is waiting for the response to come back (function virtnet_send_command())
9) The kernel is waiting doing the following : while
(!virtqueue_get_buf(vi->cvq, &tmp) && !virtqueue_is_broken(vi->cvq))
cpu_relax(); 10) None of the following functions above is true, thus, the
kernel loops here forever. Keeping in mind that virtqueue_is_broken() does
not look at the qemu vdev->broken
, so, it never realizes that the vitio
is broken at QEMU side. Fix it by not sending RSS commands if the feature
is not available in the device.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1010.10 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1010.11 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1006.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-intel | < 6.8.0-1007.14 | UNKNOWN |
git.kernel.org/linus/059a49aa2e25c58f90b50151f109dd3c4cdb3a47 (6.9-rc4)
git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47
git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de
git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de
git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b
launchpad.net/bugs/cve/CVE-2024-35981
nvd.nist.gov/vuln/detail/CVE-2024-35981
security-tracker.debian.org/tracker/CVE-2024-35981
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-35981