cve/published/2021/CVE-2021-47078.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47078: RDMA/rxe: Clear all QP fields if creation failed

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/rxe: Clear all QP fields if creation failed

 rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly
 created ones, but in case rxe_qp_from_init() failed it was filled with
 garbage and caused tot the following error.

   refcount_t: underflow; use-after-free.
   WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
   Modules linked in:
   CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
   RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
   Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
   RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286
   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
   RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67
   RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
   R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800
   R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000
   FS:  00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    __refcount_sub_and_test include/linux/refcount.h:283 [inline]
    __refcount_dec_and_test include/linux/refcount.h:315 [inline]
    refcount_dec_and_test include/linux/refcount.h:333 [inline]
    kref_put include/linux/kref.h:64 [inline]
    rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805
    execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327
    rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391
    kref_put include/linux/kref.h:65 [inline]
    rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425
    _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]
    ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231
    ib_create_qp include/rdma/ib_verbs.h:3644 [inline]
    create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920
    ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]
    ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092
    add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717
    enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331
    ib_register_device drivers/infiniband/core/device.c:1413 [inline]
    ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365
    rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147
    rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247
    rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503
    rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]
    rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250
    nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555
    rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195
    rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
    rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259
    netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
    netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
    netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
    sock_sendmsg_nosec net/socket.c:654 [inline]
    sock_sendmsg+0xcf/0x120 net/socket.c:674
    ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
    ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
    __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
    do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
    entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2021-47078 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.9.270 with commit c65391dd9f0a47617e96e38bd27e277cbe1c40b0
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.14.234 with commit 6a8086a42dfbf548a42bf2ae4faa291645c72c66
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.19.192 with commit f3783c415bf6d2ead3d7aa2c38802bbe10723646
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.4.122 with commit a62225d951d77eb20208fed8fc199e0c9b1df08b
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.10.40 with commit 2ee4d79c364914989c80de382c0b1a7259a7e4b3
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.12.7 with commit 03344e843ab6dd3b3f2cadfb65ed910590856c70
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.13 with commit 67f29896fdc83298eed5a6576ff8f9873f709228

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47078
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/sw/rxe/rxe_qp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c65391dd9f0a47617e96e38bd27e277cbe1c40b0
 	https://git.kernel.org/stable/c/6a8086a42dfbf548a42bf2ae4faa291645c72c66
 	https://git.kernel.org/stable/c/f3783c415bf6d2ead3d7aa2c38802bbe10723646
 	https://git.kernel.org/stable/c/a62225d951d77eb20208fed8fc199e0c9b1df08b
 	https://git.kernel.org/stable/c/2ee4d79c364914989c80de382c0b1a7259a7e4b3
 	https://git.kernel.org/stable/c/03344e843ab6dd3b3f2cadfb65ed910590856c70
 	https://git.kernel.org/stable/c/67f29896fdc83298eed5a6576ff8f9873f709228
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47078: RDMA/rxe: Clear all QP fields if creation failed

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/rxe: Clear all QP fields if creation failed

	rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly
	created ones, but in case rxe_qp_from_init() failed it was filled with
	garbage and caused tot the following error.

	refcount_t: underflow; use-after-free.
	WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
	Modules linked in:
	CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
	Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
	RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
	RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67
	RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
	R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800
	R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000
	FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	__refcount_sub_and_test include/linux/refcount.h:283 [inline]
	__refcount_dec_and_test include/linux/refcount.h:315 [inline]
	refcount_dec_and_test include/linux/refcount.h:333 [inline]
	kref_put include/linux/kref.h:64 [inline]
	rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805
	execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327
	rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391
	kref_put include/linux/kref.h:65 [inline]
	rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425
	_ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]
	ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231
	ib_create_qp include/rdma/ib_verbs.h:3644 [inline]
	create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920
	ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]
	ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092
	add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717
	enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331
	ib_register_device drivers/infiniband/core/device.c:1413 [inline]
	ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365
	rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147
	rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247
	rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503
	rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]
	rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250
	nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555
	rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195
	rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
	rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259
	netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
	netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
	netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
	sock_sendmsg_nosec net/socket.c:654 [inline]
	sock_sendmsg+0xcf/0x120 net/socket.c:674
	____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
	___sys_sendmsg+0xf3/0x170 net/socket.c:2404
	__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
	do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2021-47078 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.9.270 with commit c65391dd9f0a47617e96e38bd27e277cbe1c40b0
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.14.234 with commit 6a8086a42dfbf548a42bf2ae4faa291645c72c66
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 4.19.192 with commit f3783c415bf6d2ead3d7aa2c38802bbe10723646
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.4.122 with commit a62225d951d77eb20208fed8fc199e0c9b1df08b
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.10.40 with commit 2ee4d79c364914989c80de382c0b1a7259a7e4b3
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.12.7 with commit 03344e843ab6dd3b3f2cadfb65ed910590856c70
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 5.13 with commit 67f29896fdc83298eed5a6576ff8f9873f709228

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47078
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/sw/rxe/rxe_qp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c65391dd9f0a47617e96e38bd27e277cbe1c40b0
	https://git.kernel.org/stable/c/6a8086a42dfbf548a42bf2ae4faa291645c72c66
	https://git.kernel.org/stable/c/f3783c415bf6d2ead3d7aa2c38802bbe10723646
	https://git.kernel.org/stable/c/a62225d951d77eb20208fed8fc199e0c9b1df08b
	https://git.kernel.org/stable/c/2ee4d79c364914989c80de382c0b1a7259a7e4b3
	https://git.kernel.org/stable/c/03344e843ab6dd3b3f2cadfb65ed910590856c70
	https://git.kernel.org/stable/c/67f29896fdc83298eed5a6576ff8f9873f709228