CVE-2022-48842: Linux Kernel ice Vulnerability Fixed - Race Condition during Interface Enslave

A recently reported vulnerability (CVE-2022-48842) in the Linux kernel has been addressed, which affected the ice driver. This vulnerability could lead to a potential dead-lock when an interface rapidly enters and leaves a Link Aggregation Group (LAG). The fix resolves a race condition that occurred during the interface enslave process.

The original issue was found in Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device"), which introduced changes to the process of re-creation of an auxiliary device by calling ice_plug_aux_dev() from the ice_service_task() context. This change, however, opened a race window that could result in a dead-lock.

A script was developed to reproduce this issue, as follows

#!/bin/sh

ip link add lag type bond mode 1 miimon 100
ip link set lag

for n in {1..10}; do
        echo Cycle: $n
        ip link set ens7f master lag
        sleep 1
        ip link set ens7f nomaster
done

The script attempts to add and remove an interface (ens7f) from a bond (lag) repeatedly. In some cases, this would lead to a dead-lock situation as described by the call trace logs in the original source.

The root cause of the dead-lock was the interaction between the RTNL lock, the device lock, and the auxiliary device creation process. This interaction occurred in a four-step process, as explained in the patch announcement posted by the vulnerability reporter.

To fix this vulnerability, the following changes have been implemented

- The ICE_FLAG_PLUG_AUX_DEV bit is kept set during the ice_plug_aux_dev() call in ice_service_task().
- The bit is checked in ice_clear_rdma_cap(), and ice_unplug_aux_dev() is called only if the bit is not set. If it is set (meaning the auxiliary device is being plugged), the function clears the appropriate flags and exits.
- Added appropriate flag handling to ensure that the auxiliary device is safely unplugged only after it has been fully created.

With these changes in place, the race condition during the interface enslave process has been resolved, and the Linux kernel's ice driver is no longer vulnerable to CVE-2022-48842.

For more information about this vulnerability and its resolution, check out the original reference email thread and the patch announcement.

Timeline

Published on: 07/16/2024 13:15:11 UTC
Last modified on: 07/17/2024 20:29:57 UTC