Skip to content

[LTS 8.8] igb: set max size RX buffer when store bad packet is enabled #296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 30, 2025
Merged

[LTS 8.8] igb: set max size RX buffer when store bad packet is enabled #296

merged 1 commit into from
May 30, 2025

Conversation

pvts-mat
Copy link
Contributor

[LTS 8.8]
CVE-2023-45871
VULN-6695

Problem

From the company which discovered the bug:

https://www.omicronenergy.com/download/file/5ddf37266b0d79a7ba5818893202d9c1/

Linux Kernel vulnerability CVE-2023-45871 allows an attacker to cause memory corruption in the network driver of the *BX device by sending special crafted network traffic. The behaviour of the system caused by memory corruption is highly unpredictable: the device is either restarted, processes crash, or a manual reboot is required.

The CVSS 3.1 scoring is somewhat inconsistent, ranging from 7.5 (nist) to 9.8 (above).

Applicability

The igb module is enabled in ciqlts8_8

configs/kernel-x86_64.config

CONFIG_IGB=m
CONFIG_IGBVF=m
CONFIG_IGB_DCA=y
CONFIG_IGB_HWMON=y

Solution

The mainline fix is given in bb5ed01. It was backported to multiple stable versions without any changes, as well as to CBR 7.9 in d3573f5, LTS 8.6 in 6ef78b9 and LTS 9.4 in aee509a (by RedHat). The commit applies to ciqlts8_8 without any modifications as well.

kABI check: passed

DEBUG=1 CVE=CVE-2023-45871 ./ninja.sh _kabi_checked__$(uname -m)--test--ciqlts8_8-CVE-2023-45871

[0/1] Check ABI of kernel [ciqlts8_8-CVE-2023-45871]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.8/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.8/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_8/build_files/kernel-src-tree-ciqlts8_8-CVE-2023-45871/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_8-CVE-2023-45871/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Coverage

android, bpf (except test_progs, test_progs-no_alu32, test_xsk.sh, test_sockmap, test_kmod.sh), breakpoints, capabilities, cgroup, core, cpu-hotplug, cpufreq, drivers/net/bonding, drivers/net/team, exec, firmware, fpu, ftrace, futex, gpio, intel_pstate, ipc, kcmp, kexec, kvm, lib, livepatch, membarrier, memfd, memory-hotplug, mount, mqueue, net/forwarding (except mirror_gre_bridge_1d_vlan.sh, sch_tbf_root.sh, sch_tbf_ets.sh, sch_tbf_prio.sh, mirror_gre_vlan_bridge_1q.sh, tc_actions.sh, sch_ets.sh, ipip_hier_gre_keys.sh), net/mptcp (except simult_flows.sh), net (except gro.sh, txtimestamp.sh, xfrm_policy.sh, ip_defrag.sh, udpgro_fwd.sh, reuseaddr_conflict, reuseport_addr_any.sh, udpgso_bench.sh), netfilter (except nft_trans_stress.sh), nsfs, pstore, ptrace, rseq, sgx, sigaltstack, size, splice, static_keys, tc-testing, tdx, timens, timers (except raw_skew), tpm2, vm, x86, zram

Reference

kselftests–ciqlts8_8–run1.log
kselftests–ciqlts8_8–run2.log
kselftests–ciqlts8_8–run3.log

Patch

kselftests–ciqlts8_8-CVE-2023-45871–run1.log
kselftests–ciqlts8_8-CVE-2023-45871–run2.log
kselftests–ciqlts8_8-CVE-2023-45871–run3.log

Comparison

The test results for reference and patch are the same.

$ ktests.xsh diff -d kselftests*.log

Column    File
--------  ----------------------------------------------
Status0   kselftests--ciqlts8_8--run1.log
Status1   kselftests--ciqlts8_8--run2.log
Status2   kselftests--ciqlts8_8--run3.log
Status3   kselftests--ciqlts8_8-CVE-2023-45871--run1.log
Status4   kselftests--ciqlts8_8-CVE-2023-45871--run2.log
Status5   kselftests--ciqlts8_8-CVE-2023-45871--run3.log

Note that igb doesn't have any selftests defined.

Specific tests: skipped

@pvts-mat
igb: set max size RX buffer when store bad packet is enabled
2e35684 
jira VULN-6695
cve CVE-2023-45871
commit-author Radoslaw Tyl <[email protected]>
commit bb5ed01

Increase the RX buffer size to 3K when the SBP bit is on. The size of
the RX buffer determines the number of pages allocated which may not
be sufficient for receive frames larger than the set MTU size.

	Cc: [email protected]
Fixes: 89eaefb ("igb: Support RX-ALL feature flag.")
	Reported-by: Manfred Rudigier <[email protected]>
	Signed-off-by: Radoslaw Tyl <[email protected]>
	Tested-by: Arpana Arland <[email protected]> (A Contingent worker at Intel)
	Signed-off-by: Tony Nguyen <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit bb5ed01)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat pvts-mat changed the title igb: set max size RX buffer when store bad packet is enabled [LTS 8.8] igb: set max size RX buffer when store bad packet is enabled May 28, 2025
bmastbergen
bmastbergen approved these changes May 29, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen merged commit 07a3a10 into ctrliq:ciqlts8_8 May 30, 2025
2 checks passed
@PlaidCat PlaidCat mentioned this pull request Jul 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdieter jdieter jdieter approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@PlaidCat PlaidCat Awaiting requested review from PlaidCat

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pvts-mat @jdieter @bmastbergen