cve/published/2021/CVE-2021-47481.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47481: RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR

 Normally the zero fill would hide the missing initialization, but an
 errant set to desc_size in reg_create() causes a crash:

   BUG: unable to handle page fault for address: 0000000800000000
   PGD 0 P4D 0
   Oops: 0000 [#1] SMP PTI
   CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
   RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]
   Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8
   RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286
   RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000
   RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000
   RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff
   R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0
   R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00
   FS:  00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]
    mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]
    ib_dereg_mr_user+0x45/0xb0 [ib_core]
    ? xas_load+0x8/0x80
    destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]
    uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]
    uobj_destroy+0x3c/0x70 [ib_uverbs]
    ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]
    ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]
    ? ttwu_queue_wakelist+0xa9/0xe0
    ? pty_write+0x85/0x90
    ? file_tty_write.isra.33+0x214/0x330
    ? process_echoes+0x60/0x60
    ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]
    __x64_sys_ioctl+0x10d/0x8e0
    ? vfs_write+0x17f/0x260
    do_syscall_64+0x3c/0x80
    entry_SYSCALL_64_after_hwframe+0x44/0xae

 Add the missing xarray initialization and remove the desc_size set.

 The Linux kernel CVE team has assigned CVE-2021-47481 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit a639e66703ee45745dc4057c7c2013ed9e1963a7 and fixed in 5.14.16 with commit 5f6995295f65d1ee6f36d466d26afd98eb797afe
 	Issue introduced in 5.13 with commit a639e66703ee45745dc4057c7c2013ed9e1963a7 and fixed in 5.15 with commit 5508546631a0f555d7088203dec2614e41b5106e
 	Issue introduced in 5.12.4 with commit 29f91bd26f3ba828a55cb446ecd44caacf0df026

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47481
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/mlx5/mr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe
 	https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47481: RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR

	Normally the zero fill would hide the missing initialization, but an
	errant set to desc_size in reg_create() causes a crash:

	BUG: unable to handle page fault for address: 0000000800000000
	PGD 0 P4D 0
	Oops: 0000 [#1] SMP PTI
	CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
	RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]
	Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8
	RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286
	RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000
	RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff
	R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0
	R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00
	FS: 00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]
	mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]
	ib_dereg_mr_user+0x45/0xb0 [ib_core]
	? xas_load+0x8/0x80
	destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]
	uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]
	uobj_destroy+0x3c/0x70 [ib_uverbs]
	ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]
	? uverbs_finalize_object+0x60/0x60 [ib_uverbs]
	? ttwu_queue_wakelist+0xa9/0xe0
	? pty_write+0x85/0x90
	? file_tty_write.isra.33+0x214/0x330
	? process_echoes+0x60/0x60
	ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]
	__x64_sys_ioctl+0x10d/0x8e0
	? vfs_write+0x17f/0x260
	do_syscall_64+0x3c/0x80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Add the missing xarray initialization and remove the desc_size set.

	The Linux kernel CVE team has assigned CVE-2021-47481 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit a639e66703ee45745dc4057c7c2013ed9e1963a7 and fixed in 5.14.16 with commit 5f6995295f65d1ee6f36d466d26afd98eb797afe
	Issue introduced in 5.13 with commit a639e66703ee45745dc4057c7c2013ed9e1963a7 and fixed in 5.15 with commit 5508546631a0f555d7088203dec2614e41b5106e
	Issue introduced in 5.12.4 with commit 29f91bd26f3ba828a55cb446ecd44caacf0df026

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47481
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/mlx5/mr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe
	https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e