Bug 2313147 (CVE-2024-46799)

Summary: CVE-2024-46799 kernel: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's net: ethernet: ti: am65-cpsw driver, which caused a NULL pointer dereference when Express Data Path (XDP) traffic was transmitted with only one TX queue configured. This issue occurred due to the incorrect use of the maximum number of TX queues instead of the actual number in the am65_cpsw_ndo_xdp_xmit() function.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2313282    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-18 08:23:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX

If number of TX queues are set to 1 we get a NULL pointer
dereference during XDP_TX.

~# ethtool -L eth0 tx 1
~# ./xdp-trafficgen udp -A <ipv6-src> -a <ipv6-dst> eth0 -t 2
Transmitting on eth0 (ifindex 2)
[  241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030

Fix this by using actual TX queues instead of max TX queues
when picking the TX channel in am65_cpsw_ndo_xdp_xmit().
Comment 1 Michal Findra 2024-09-18 12:36:22 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024091856-CVE-2024-46799-cc5c@gregkh/T