CVE-2024-46770: ice: Add netif_device_attach/detach into PF reset flow
In the Linux kernel, the following vulnerability has been resolved:
ice: Add netif_device_attach/detach into PF reset flow
Ethtool callbacks can be executed while reset is in progress and try to
access deleted resources, e.g. getting coalesce settings can result in a
NULL pointer dereference seen below.
Reproduction steps:
Once the driver is fully initialized, trigger reset:
# echo 1 > /sys/class/net/<interface>/device/reset
when reset is in progress try to get coalesce settings using ethtool:
# ethtool -c <interface>
BUG: kernel NULL pointer dereference, address: 0000000000000020
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7
RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
Call Trace:
<TASK>
ice_get_coalesce+0x17/0x30 [ice]
coalesce_prepare_data+0x61/0x80
ethnl_default_doit+0xde/0x340
genl_family_rcv_msg_doit+0xf2/0x150
genl_rcv_msg+0x1b3/0x2c0
netlink_rcv_skb+0x5b/0x110
genl_rcv+0x28/0x40
netlink_unicast+0x19c/0x290
netlink_sendmsg+0x222/0x490
__sys_sendto+0x1df/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x82/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7faee60d8e27
Calling netif_device_detach() before reset makes the net core not call
the driver when ethtool command is issued, the attempt to execute an
ethtool command during reset will result in the following message:
netlink error: No such device
instead of NULL pointer dereference. Once reset is done and
ice_rebuild() is executing, the netif_device_attach() is called to allow
for ethtool operations to occur again in a safe manner.
Security readout for executives and security teams
Plain-English summary
CVE-2024-46770 is a Linux kernel crash bug in the Intel Ethernet ice driver. During a physical-function reset, management queries through ethtool could reach driver resources that had already been deleted, causing a NULL pointer dereference. The main business risk is host instability on systems using this driver, not data theft based on the provided evidence.
Executive priority
Treat this as a stability and availability fix for Linux network infrastructure. Prioritize production servers using affected Intel Ethernet ice driver hardware, especially where unexpected host crashes would affect critical services.
Technical view
The ice driver did not detach the net device during PF reset, allowing ethtool callbacks to run concurrently against reset-torn-down state. The upstream fix detaches the device before reset and reattaches during rebuild, making affected ethtool operations fail safely instead of dereferencing NULL resources.
Likely exposure
Exposure is likely limited to Linux systems using the ice network driver, commonly Intel Ethernet adapters, on affected kernel lines. Systems without this driver or relevant hardware are unlikely to be exposed based on the supplied sources.
Exploitation context
The source bundle shows a reproducible local crash condition during reset and ethtool access. It does not cite remote exploitation, privilege escalation, public weaponization, or active exploitation. The CVE is not marked KEV in the provided data.
Researcher notes
The public description supports a race between PF reset teardown and ethtool callback execution. The fix uses netif_device_detach and netif_device_attach to gate net core callbacks during reset. Evidence is incomplete for impact beyond NULL pointer dereference denial of service.
Mitigation direction
Update to a kernel containing the referenced stable fixes.
Check Linux distribution advisories for packaged kernel updates.
Prioritize hosts using the ice network driver in production.
Avoid unnecessary manual reset and driver-management activity until patched.
Validation and detection
Inventory systems loading the Linux ice driver.
Map installed kernel versions against vendor fixed packages.
Confirm the relevant stable patch is present in kernel changelogs.
Review logs for recent kernel oops events involving ice or ethtool.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46770 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.