2311728 – (CVE-2024-45030) CVE-2024-45030 kernel: igb: cope with large MAX_SKB_FRAGS

Bug 2311728 (CVE-2024-45030) - CVE-2024-45030 kernel: igb: cope with large MAX_SKB_FRAGS

Summary: CVE-2024-45030 kernel: igb: cope with large MAX_SKB_FRAGS

Keywords:
Status:	NEW
Alias:	CVE-2024-45030
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2311778
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-11 16:21 UTC by OSIDB Bzimport
Modified:	2024-09-13 10:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-11 16:21:33 UTC

In the Linux kernel, the following vulnerability has been resolved:

igb: cope with large MAX_SKB_FRAGS

Sabrina reports that the igb driver does not cope well with large
MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload
corruption on TX.

An easy reproducer is to run ssh to connect to the machine.  With
MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails.  This has
been reported originally in
https://bugzilla.redhat.com/show_bug.cgi?id=2265320

The root cause of the issue is that the driver does not take into
account properly the (possibly large) shared info size when selecting
the ring layout, and will try to fit two packets inside the same 4K
page even when the 1st fraglist will trump over the 2nd head.

Address the issue by checking if 2K buffers are insufficient.

Comment 1 Michal Findra 2024-09-11 18:03:28 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024091110-CVE-2024-45030-c2eb@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.