cve/published/2021/CVE-2021-47196.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n  dump_stack_lvl+0x45/0x59\n  print_address_description.constprop.0+0x1f/0x140\n  kasan_report.cold+0x83/0xdf\n  create_qp.cold+0x164/0x16e [mlx5_ib]\n  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n  create_qp.part.0+0x45b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n  kasan_save_stack+0x1b/0x40\n  __kasan_kmalloc+0xa4/0xd0\n  create_qp.part.0+0x92/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n  kasan_save_stack+0x1b/0x40\n  kasan_set_track+0x1c/0x30\n  kasan_set_free_info+0x20/0x30\n  __kasan_slab_free+0x10c/0x150\n  slab_free_freelist_hook+0xb4/0x1b0\n  kfree+0xe7/0x2a0\n  create_qp.part.0+0x52b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/infiniband/core/verbs.c"
                ],
                "versions": [
                   {
                      "version": "514aee660df493cd673154a6ba6bab745ec47b8c",
                      "lessThan": "b70e072feffa0ba5c41a99b9524b9878dee7748e",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "514aee660df493cd673154a6ba6bab745ec47b8c",
                      "lessThan": "6cd7397d01c4a3e09757840299e4f114f0aa5fa0",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/infiniband/core/verbs.c"
                ],
                "versions": [
                   {
                      "version": "5.15",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "5.15",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.5",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.16",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.15",
                            "versionEndExcluding": "5.15.5"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.15",
                            "versionEndExcluding": "5.16"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
             },
             {
                "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
             }
          ],
          "title": "RDMA/core: Set send and receive CQ before forwarding to the driver",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47196",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x83/0xdf\n create_qp.cold+0x164/0x16e [mlx5_ib]\n mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n create_qp.part.0+0x45b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0xa4/0xd0\n create_qp.part.0+0x92/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n kasan_save_stack+0x1b/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x10c/0x150\n slab_free_freelist_hook+0xb4/0x1b0\n kfree+0xe7/0x2a0\n create_qp.part.0+0x52b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/infiniband/core/verbs.c"
	],
	"versions": [
	{
	"version": "514aee660df493cd673154a6ba6bab745ec47b8c",
	"lessThan": "b70e072feffa0ba5c41a99b9524b9878dee7748e",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "514aee660df493cd673154a6ba6bab745ec47b8c",
	"lessThan": "6cd7397d01c4a3e09757840299e4f114f0aa5fa0",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/infiniband/core/verbs.c"
	],
	"versions": [
	{
	"version": "5.15",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "5.15",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.5",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.16",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.15",
	"versionEndExcluding": "5.15.5"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.15",
	"versionEndExcluding": "5.16"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
	},
	{
	"url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
	}
	],
	"title": "RDMA/core: Set send and receive CQ before forwarding to the driver",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47196",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}