CVE-2024-50297: 
Linux Debian vulnerability analysis and mitigation

A race condition vulnerability was discovered in the Linux kernel's Xilinx AXI Ethernet driver (CVE-2024-50297). The issue occurs when enqueuing packets in dynamic queue limits (dql) after the DMA engine starts, which can lead to a kernel crash. The vulnerability affects Linux kernel versions from 6.8 up to (excluding) 6.11.8, and various 6.12 release candidates (NVD).

The vulnerability stems from a race condition in the Xilinx AXI Ethernet driver where Tx transfer starts once the DMA engine is initiated and may execute dql dequeue in completion before it gets queued. This results in a kernel crash at lib/dynamicqueuelimits.c:99 during iperf stress testing. The issue has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access required with high attack complexity (NVD).

When exploited, this vulnerability causes a kernel crash (system denial of service) during network stress conditions. The issue specifically manifests when running iperf stress tests on systems using the Xilinx AXI Ethernet driver (Kernel Patch).

The vulnerability has been fixed by modifying the packet enqueuing sequence in the driver. The fix involves starting the DMA engine after enqueueing in dql, which prevents the race condition. The patch has been merged into the Linux kernel. Users should update to Linux kernel version 6.11.8 or later to receive the fix (Kernel Patch).