cve/published/2021/CVE-2021-47399.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47399: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup

 The ixgbe driver currently generates a NULL pointer dereference with
 some machine (online cpus < 63). This is due to the fact that the
 maximum value of num_xdp_queues is nr_cpu_ids. Code is in
 "ixgbe_set_rss_queues"".

 Here's how the problem repeats itself:
 Some machine (online cpus < 63), And user set num_queues to 63 through
 ethtool. Code is in the "ixgbe_set_channels",
 	adapter->ring_feature[RING_F_FDIR].limit = count;

 It becomes 63.

 When user use xdp, "ixgbe_set_rss_queues" will set queues num.
 	adapter->num_rx_queues = rss_i;
 	adapter->num_tx_queues = rss_i;
 	adapter->num_xdp_queues = ixgbe_xdp_queues(adapter);

 And rss_i's value is from
 	f = &adapter->ring_feature[RING_F_FDIR];
 	rss_i = f->indices = f->limit;

 So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup",
 	for (i = 0; i < adapter->num_rx_queues; i++)
 		if (adapter->xdp_ring[i]->xsk_umem)

 It leads to panic.

 Call trace:
 [exception RIP: ixgbe_xdp+368]
 RIP: ffffffffc02a76a0  RSP: ffff9fe16202f8d0  RFLAGS: 00010297
 RAX: 0000000000000000  RBX: 0000000000000020  RCX: 0000000000000000
 RDX: 0000000000000000  RSI: 000000000000001c  RDI: ffffffffa94ead90
 RBP: ffff92f8f24c0c18   R8: 0000000000000000   R9: 0000000000000000
 R10: ffff9fe16202f830  R11: 0000000000000000  R12: ffff92f8f24c0000
 R13: ffff9fe16202fc01  R14: 000000000000000a  R15: ffffffffc02a7530
 ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
  7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc
  8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808
  9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235
 10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384
 11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd
 12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb
 13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88
 14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319
 15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290
 16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8
 17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64
 18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9
 19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c

 So I fix ixgbe_max_channels so that it will not allow a setting of queues
 to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,
 take the smaller value of num_rx_queues and num_xdp_queues.

 The Linux kernel CVE team has assigned CVE-2021-47399 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.10.71 with commit 20f6c4a31a525edd9ea6243712b868ba0e4e331e
 	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.14.10 with commit 2744341dd52e935344ca1b4bf189ba0d182a3e8e
 	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.15 with commit 513e605d7a9ce136886cb42ebb2c40e9a6eb6333

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47399
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
 	drivers/net/ethernet/intel/ixgbe/ixgbe_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/20f6c4a31a525edd9ea6243712b868ba0e4e331e
 	https://git.kernel.org/stable/c/2744341dd52e935344ca1b4bf189ba0d182a3e8e
 	https://git.kernel.org/stable/c/513e605d7a9ce136886cb42ebb2c40e9a6eb6333
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47399: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup

	The ixgbe driver currently generates a NULL pointer dereference with
	some machine (online cpus < 63). This is due to the fact that the
	maximum value of num_xdp_queues is nr_cpu_ids. Code is in
	"ixgbe_set_rss_queues"".

	Here's how the problem repeats itself:
	Some machine (online cpus < 63), And user set num_queues to 63 through
	ethtool. Code is in the "ixgbe_set_channels",
	adapter->ring_feature[RING_F_FDIR].limit = count;

	It becomes 63.

	When user use xdp, "ixgbe_set_rss_queues" will set queues num.
	adapter->num_rx_queues = rss_i;
	adapter->num_tx_queues = rss_i;
	adapter->num_xdp_queues = ixgbe_xdp_queues(adapter);

	And rss_i's value is from
	f = &adapter->ring_feature[RING_F_FDIR];
	rss_i = f->indices = f->limit;

	So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup",
	for (i = 0; i < adapter->num_rx_queues; i++)
	if (adapter->xdp_ring[i]->xsk_umem)

	It leads to panic.

	Call trace:
	[exception RIP: ixgbe_xdp+368]
	RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297
	RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90
	RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000
	R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000
	R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530
	ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
	7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc
	8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808
	9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235
	10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384
	11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd
	12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb
	13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88
	14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319
	15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290
	16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8
	17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64
	18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9
	19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c

	So I fix ixgbe_max_channels so that it will not allow a setting of queues
	to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,
	take the smaller value of num_rx_queues and num_xdp_queues.

	The Linux kernel CVE team has assigned CVE-2021-47399 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.10.71 with commit 20f6c4a31a525edd9ea6243712b868ba0e4e331e
	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.14.10 with commit 2744341dd52e935344ca1b4bf189ba0d182a3e8e
	Issue introduced in 5.0 with commit 4a9b32f30f805ca596d76605903a48eab58e0b88 and fixed in 5.15 with commit 513e605d7a9ce136886cb42ebb2c40e9a6eb6333

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47399
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
	drivers/net/ethernet/intel/ixgbe/ixgbe_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/20f6c4a31a525edd9ea6243712b868ba0e4e331e
	https://git.kernel.org/stable/c/2744341dd52e935344ca1b4bf189ba0d182a3e8e
	https://git.kernel.org/stable/c/513e605d7a9ce136886cb42ebb2c40e9a6eb6333