Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47562.json
blob: c20b999e07163f27593c1912264cfd7c7b5c5a43 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix vsi->txq_map sizing\n\nThe approach of having XDP queue per CPU regardless of user's setting\nexposed a hidden bug that could occur in case when Rx queue count differ\nfrom Tx queue count. Currently vsi->txq_map's size is equal to the\ndoubled vsi->alloc_txq, which is not correct due to the fact that XDP\nrings were previously based on the Rx queue count. Below splat can be\nseen when ethtool -L is used and XDP rings are configured:\n\n[ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f\n[ 682.883403] #PF: supervisor read access in kernel mode\n[ 682.889345] #PF: error_code(0x0000) - not-present page\n[ 682.895289] PGD 0 P4D 0\n[ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1\n[ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 682.923380] RIP: 0010:devres_remove+0x44/0x130\n[ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8\n[ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002\n[ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370\n[ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000\n[ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000\n[ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60\n[ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c\n[ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000\n[ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0\n[ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 683.038336] Call Trace:\n[ 683.041167] devm_kfree+0x33/0x50\n[ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice]\n[ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice]\n[ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice]\n[ 683.060697] ice_set_channels+0x14f/0x290 [ice]\n[ 683.065962] ethnl_set_channels+0x333/0x3f0\n[ 683.070807] genl_family_rcv_msg_doit+0xea/0x150\n[ 683.076152] genl_rcv_msg+0xde/0x1d0\n[ 683.080289] ? channels_prepare_data+0x60/0x60\n[ 683.085432] ? genl_get_cmd+0xd0/0xd0\n[ 683.089667] netlink_rcv_skb+0x50/0xf0\n[ 683.094006] genl_rcv+0x24/0x40\n[ 683.097638] netlink_unicast+0x239/0x340\n[ 683.102177] netlink_sendmsg+0x22e/0x470\n[ 683.106717] sock_sendmsg+0x5e/0x60\n[ 683.110756] __sys_sendto+0xee/0x150\n[ 683.114894] ? handle_mm_fault+0xd0/0x2a0\n[ 683.119535] ? do_user_addr_fault+0x1f3/0x690\n[ 683.134173] __x64_sys_sendto+0x25/0x30\n[ 683.148231] do_syscall_64+0x3b/0xc0\n[ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix this by taking into account the value that num_possible_cpus()\nyields in addition to vsi->alloc_txq instead of doubling the latter."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"versions": [
{
"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
"lessThan": "1eb5395add786613c7c5579d3947aa0b8f0ec241",
"status": "affected",
"versionType": "git"
},
{
"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
"lessThan": "992ba40a67638dfe2772b84dfc8168dc328d5c4c",
"status": "affected",
"versionType": "git"
},
{
"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6",
"lessThan": "792b2086584f25d84081a526beee80d103c2a913",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"versions": [
{
"version": "5.5",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.5",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.83",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.6",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.16",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.10.83"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.15.6"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.16"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241"
},
{
"url": "https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c"
},
{
"url": "https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913"
}
],
"title": "ice: fix vsi->txq_map sizing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2021-47562",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}