CVE-2024-50190: ice: fix memleak in ice_init_tx_topology()
First published: Fri Nov 08 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ice: fix memleak in ice_init_tx_topology() Fix leak of the FW blob (DDP pkg). Make ice_cfg_tx_topo() const-correct, so ice_init_tx_topology() can avoid copying whole FW blob. Copy just the topology section, and only when needed. Reuse the buffer allocated for the read of the current topology. This was found by kmemleak, with the following trace for each PF: [<ffffffff8761044d>] kmemdup_noprof+0x1d/0x50 [<ffffffffc0a0a480>] ice_init_ddp_config+0x100/0x220 [ice] [<ffffffffc0a0da7f>] ice_init_dev+0x6f/0x200 [ice] [<ffffffffc0a0dc49>] ice_init+0x29/0x560 [ice] [<ffffffffc0a10c1d>] ice_probe+0x21d/0x310 [ice] Constify ice_cfg_tx_topo() @buf parameter. This cascades further down to few more functions.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=6.10<6.11.4 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/43544b4e30732c3d88f423252281915d5bc739b6
- https://git.kernel.org/stable/c/c188afdc36113760873ec78cbc036f6b05f77621
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50190
- https://nvd.nist.gov/vuln/detail/CVE-2024-50190
- https://launchpad.net/bugs/cve/CVE-2024-50190
- https://security-tracker.debian.org/tracker/CVE-2024-50190
- https://ubuntu.com/security/CVE-2024-50190
- https://git.kernel.org/linus/c188afdc36113760873ec78cbc036f6b05f77621
Frequently Asked Questions
What is the severity of CVE-2024-50190?
CVE-2024-50190 has not been officially assigned a severity rating yet, but it addresses a memory leak issue.
How do I fix CVE-2024-50190?
To fix CVE-2024-50190, update the Linux Kernel to version 6.12-rc1 or later, or apply relevant patches.
What is the impact of CVE-2024-50190?
CVE-2024-50190 could potentially lead to resource exhaustion due to the memory leak in the ice driver.
Which versions of the Linux Kernel are affected by CVE-2024-50190?
The affected versions include Linux Kernel versions 6.10 to 6.11.4 and 6.12-rc1, 6.12-rc2.
Who is responsible for addressing CVE-2024-50190?
The maintainers of the Linux Kernel are responsible for addressing and providing updates for CVE-2024-50190.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- collector/nvd-cve
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.10
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- package-manager/debian