CVE-2024-50042: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50042 affects the Linux kernel's ice driver, specifically related to MSI-X handling on Virtual Functions (VFs). The vulnerability was discovered in September 2024 and involves invalid memory operations that occur when increasing MSI-X value on a VF. The issue affects Linux kernel versions from 6.7.10 up to (excluding) 6.8, from 6.8 up to (excluding) 6.11.4, and versions 6.12-rc1 and 6.12-rc2 (NVD).

The vulnerability is triggered when increasing the MSI-X value above the default of 16 on a Virtual Function. The issue occurs because some arrays are not properly reallocated when changing the MSI-X vector count. This leads to a slab-out-of-bounds read in the ice_vsi_alloc_ring_stats function. The vulnerability can be reproduced by loading the ice module and manipulating the sriov_vf_msix_count through sysfs (Kernel Patch). The CVSS v3.1 Base Score is 7.1 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability allows reading out-of-bounds memory through KASAN (Kernel Address Sanitizer) detectable accesses. This could potentially lead to information disclosure and system crashes. The high CVSS score indicates significant potential impact on system confidentiality and availability (NVD).

The issue has been fixed by replacing ice_vf_reconfig_vsi() with ice_vsi_rebuild() in the kernel code. The fix ensures proper reallocation of arrays when changing the queue count and handles VSI filters correctly. Users should upgrade to patched kernel versions that include the fix (Kernel Patch).