cve/published/2021/CVE-2021-47261.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47261: IB/mlx5: Fix initializing CQ fragments buffer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 IB/mlx5: Fix initializing CQ fragments buffer

 The function init_cq_frag_buf() can be called to initialize the current CQ
 fragments buffer cq->buf, or the temporary cq->resize_buf that is filled
 during CQ resize operation.

 However, the offending commit started to use function get_cqe() for
 getting the CQEs, the issue with this change is that get_cqe() always
 returns CQEs from cq->buf, which leads us to initialize the wrong buffer,
 and in case of enlarging the CQ we try to access elements beyond the size
 of the current cq->buf and eventually hit a kernel panic.

  [exception RIP: init_cq_frag_buf+103]
   [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]
   [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]
   [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]
   [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]
   [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]
   [ffff9f799ddcbec8] kthread at ffffffffa66c5da1
   [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd

 Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that
 takes the correct source buffer as a parameter.

 The Linux kernel CVE team has assigned CVE-2021-47261 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 4.19.195 with commit 1ec2dcd680c71d0d36fa25638b327a468babd5c9
 	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.4.126 with commit e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26
 	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.10.44 with commit 91f7fdc4cc10542ca1045c06aad23365f0d067e0
 	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.12.11 with commit 3e670c54eda238cb8a1ea93538a79ae89285c1c4
 	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.13 with commit 2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47261
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/mlx5/cq.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1ec2dcd680c71d0d36fa25638b327a468babd5c9
 	https://git.kernel.org/stable/c/e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26
 	https://git.kernel.org/stable/c/91f7fdc4cc10542ca1045c06aad23365f0d067e0
 	https://git.kernel.org/stable/c/3e670c54eda238cb8a1ea93538a79ae89285c1c4
 	https://git.kernel.org/stable/c/2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47261: IB/mlx5: Fix initializing CQ fragments buffer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	IB/mlx5: Fix initializing CQ fragments buffer

	The function init_cq_frag_buf() can be called to initialize the current CQ
	fragments buffer cq->buf, or the temporary cq->resize_buf that is filled
	during CQ resize operation.

	However, the offending commit started to use function get_cqe() for
	getting the CQEs, the issue with this change is that get_cqe() always
	returns CQEs from cq->buf, which leads us to initialize the wrong buffer,
	and in case of enlarging the CQ we try to access elements beyond the size
	of the current cq->buf and eventually hit a kernel panic.

	[exception RIP: init_cq_frag_buf+103]
	[ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]
	[ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]
	[ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]
	[ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]
	[ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]
	[ffff9f799ddcbec8] kthread at ffffffffa66c5da1
	[ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd

	Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that
	takes the correct source buffer as a parameter.

	The Linux kernel CVE team has assigned CVE-2021-47261 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 4.19.195 with commit 1ec2dcd680c71d0d36fa25638b327a468babd5c9
	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.4.126 with commit e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26
	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.10.44 with commit 91f7fdc4cc10542ca1045c06aad23365f0d067e0
	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.12.11 with commit 3e670c54eda238cb8a1ea93538a79ae89285c1c4
	Issue introduced in 4.17 with commit 388ca8be00370db132464e27f745b8a0add19fcb and fixed in 5.13 with commit 2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47261
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/mlx5/cq.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1ec2dcd680c71d0d36fa25638b327a468babd5c9
	https://git.kernel.org/stable/c/e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26
	https://git.kernel.org/stable/c/91f7fdc4cc10542ca1045c06aad23365f0d067e0
	https://git.kernel.org/stable/c/3e670c54eda238cb8a1ea93538a79ae89285c1c4
	https://git.kernel.org/stable/c/2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a