CVE-2024-36003
📋 TL;DR
This CVE describes a deadlock vulnerability in the Linux kernel's ice driver when handling Virtual Function (VF) resets with Link Aggregation (LAG) enabled. The vulnerability occurs due to inconsistent lock acquisition order between ice_reset_vf() and ice_vc_cfg_qs_msg(), potentially causing system hangs or denial of service. Systems using Intel Ethernet Controller E810 series with SR-IOV and LAG configurations are affected.
💻 Affected Systems
- Linux kernel with Intel ice driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Complete system deadlock requiring hard reboot, causing extended service disruption and potential data loss in virtualized environments.
Likely Case
System hangs or kernel panics when creating/removing VFs with LAG enabled, leading to denial of service for affected network interfaces.
If Mitigated
Minor performance impact during VF operations if proper locking order is enforced.
🎯 Exploit Status
Exploitation requires privileged access to create/remove VFs. The deadlock is reliably triggered by specific sequences of VF operations with LAG enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel stable releases containing fixes: 740717774dc3, 96fdd1f6b4ed, de8631d8c9df
Vendor Advisory: https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c
Restart Required: Yes
Instructions:
1. Update to patched kernel version from your distribution's repositories
2. Rebuild kernel if using custom builds
3. Reboot system to load new kernel
4. Verify ice driver version matches patched kernel
🔧 Temporary Workarounds
Disable LAG configuration
linuxTemporarily disable Link Aggregation on affected interfaces to avoid the deadlock condition
# Check current LAG configuration
ip link show
# Remove from bond/LAG configuration
ip link set dev <interface> nomaster
Limit VF operations
linuxAvoid creating/removing multiple VFs simultaneously and implement delays between operations
# Script VF operations with delays
sleep 2
# between VF create/remove commands
🧯 If You Can't Patch
- Disable SR-IOV functionality on affected network interfaces
- Implement monitoring for kernel deadlocks and automated recovery procedures
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if ice driver is loaded with LAG enabled: 'uname -r' and 'lsmod | grep ice' and 'ip link show' for bond interfacesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits and test VF creation/removal with LAG enabled without triggering deadlock📡 Detection & Monitoring
Log Indicators:
- Kernel deadlock warnings in dmesg
- 'possible circular locking dependency detected' messages
- Ice driver error messages related to VF operations
Network Indicators:
- Sudden loss of network connectivity on bonded interfaces
- VF network interfaces becoming unresponsive
SIEM Query:
source="kernel" AND "possible circular locking" AND "ice_reset_vf"🔗 References
- https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c
- https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f
- https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6
- https://git.kernel.org/stable/c/740717774dc37338404d10726967d582414f638c
- https://git.kernel.org/stable/c/96fdd1f6b4ed72a741fb0eb705c0e13049b8721f
- https://git.kernel.org/stable/c/de8631d8c9df08440268630200e64b623a5f69e6
