| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Apr 2024 19:31:33 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-26766: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
The Linux kernel CVE team has assigned CVE-2024-26766 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.19.291 with commit d1c1ee052d25 and fixed in 4.19.308 with commit 115b7f3bc1dc
Issue introduced in 5.4.251 with commit 40ac5cb6cbb0 and fixed in 5.4.270 with commit 5833024a9856
Issue introduced in 5.10.188 with commit 6cf8f3d690bb and fixed in 5.10.211 with commit 3f38d22e645e
Issue introduced in 5.15.99 with commit bd57756a7e43 and fixed in 5.15.150 with commit 47ae64df23ed
Issue introduced in 6.1.16 with commit eeaf35f4e3b3 and fixed in 6.1.80 with commit 52dc9a7a573d
Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.6.19 with commit a2fef1d81bec
Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.7.7 with commit 9034a1bec35e
Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.8 with commit e6f57c688191
Issue introduced in 6.2.3 with commit 0ef9594936d1
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-26766
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/infiniband/hw/hfi1/sdma.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
Powered by blists - more mailing lists