cve/published/2021/CVE-2021-47587.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47587: net: systemport: Add global locking for descriptor lifecycle

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: systemport: Add global locking for descriptor lifecycle

 The descriptor list is a shared resource across all of the transmit queues, and
 the locking mechanism used today only protects concurrency across a given
 transmit queue between the transmit and reclaiming. This creates an opportunity
 for the SYSTEMPORT hardware to work on corrupted descriptors if we have
 multiple producers at once which is the case when using multiple transmit
 queues.

 This was particularly noticeable when using multiple flows/transmit queues and
 it showed up in interesting ways in that UDP packets would get a correct UDP
 header checksum being calculated over an incorrect packet length. Similarly TCP
 packets would get an equally correct checksum computed by the hardware over an
 incorrect packet length.

 The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
 when the driver produces a new descriptor anytime it writes to the
 WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
 re-organize its descriptors and it is possible that concurrent TX queues
 eventually break this internal allocation scheme to the point where the
 length/status part of the descriptor gets used for an incorrect data buffer.

 The fix is to impose a global serialization for all TX queues in the short
 section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
 the corruption even with multiple concurrent TX queues being used.

 The Linux kernel CVE team has assigned CVE-2021-47587 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.4.296 with commit 8ed2f5d08d6e59f8c78b2869bfb95d0be32c094c
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.9.294 with commit de57f62f76450b934de8203711bdc4f7953c3421
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.14.259 with commit f3fde37d3f0d429f0fcce214cb52588a9e21260e
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.19.222 with commit 595a684fa6f23b21958379a18cfa83862c73c2e1
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.4.168 with commit c675256a7f131f5ba3f331efb715e8f31ea0e392
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.10.88 with commit 6e1011cd183faae8daff275c72444edcdfe0d473
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.15.11 with commit eb4687c7442942e115420a30185f8d83faf37696
 	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.16 with commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47587
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bcmsysport.c
 	drivers/net/ethernet/broadcom/bcmsysport.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8ed2f5d08d6e59f8c78b2869bfb95d0be32c094c
 	https://git.kernel.org/stable/c/de57f62f76450b934de8203711bdc4f7953c3421
 	https://git.kernel.org/stable/c/f3fde37d3f0d429f0fcce214cb52588a9e21260e
 	https://git.kernel.org/stable/c/595a684fa6f23b21958379a18cfa83862c73c2e1
 	https://git.kernel.org/stable/c/c675256a7f131f5ba3f331efb715e8f31ea0e392
 	https://git.kernel.org/stable/c/6e1011cd183faae8daff275c72444edcdfe0d473
 	https://git.kernel.org/stable/c/eb4687c7442942e115420a30185f8d83faf37696
 	https://git.kernel.org/stable/c/8b8e6e782456f1ce02a7ae914bbd5b1053f0b034
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47587: net: systemport: Add global locking for descriptor lifecycle

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: systemport: Add global locking for descriptor lifecycle

	The descriptor list is a shared resource across all of the transmit queues, and
	the locking mechanism used today only protects concurrency across a given
	transmit queue between the transmit and reclaiming. This creates an opportunity
	for the SYSTEMPORT hardware to work on corrupted descriptors if we have
	multiple producers at once which is the case when using multiple transmit
	queues.

	This was particularly noticeable when using multiple flows/transmit queues and
	it showed up in interesting ways in that UDP packets would get a correct UDP
	header checksum being calculated over an incorrect packet length. Similarly TCP
	packets would get an equally correct checksum computed by the hardware over an
	incorrect packet length.

	The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
	when the driver produces a new descriptor anytime it writes to the
	WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
	re-organize its descriptors and it is possible that concurrent TX queues
	eventually break this internal allocation scheme to the point where the
	length/status part of the descriptor gets used for an incorrect data buffer.

	The fix is to impose a global serialization for all TX queues in the short
	section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
	the corruption even with multiple concurrent TX queues being used.

	The Linux kernel CVE team has assigned CVE-2021-47587 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.4.296 with commit 8ed2f5d08d6e59f8c78b2869bfb95d0be32c094c
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.9.294 with commit de57f62f76450b934de8203711bdc4f7953c3421
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.14.259 with commit f3fde37d3f0d429f0fcce214cb52588a9e21260e
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 4.19.222 with commit 595a684fa6f23b21958379a18cfa83862c73c2e1
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.4.168 with commit c675256a7f131f5ba3f331efb715e8f31ea0e392
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.10.88 with commit 6e1011cd183faae8daff275c72444edcdfe0d473
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.15.11 with commit eb4687c7442942e115420a30185f8d83faf37696
	Issue introduced in 3.16 with commit 80105befdb4b8cea924711b40b2462b87df65b62 and fixed in 5.16 with commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47587
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bcmsysport.c
	drivers/net/ethernet/broadcom/bcmsysport.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8ed2f5d08d6e59f8c78b2869bfb95d0be32c094c
	https://git.kernel.org/stable/c/de57f62f76450b934de8203711bdc4f7953c3421
	https://git.kernel.org/stable/c/f3fde37d3f0d429f0fcce214cb52588a9e21260e
	https://git.kernel.org/stable/c/595a684fa6f23b21958379a18cfa83862c73c2e1
	https://git.kernel.org/stable/c/c675256a7f131f5ba3f331efb715e8f31ea0e392
	https://git.kernel.org/stable/c/6e1011cd183faae8daff275c72444edcdfe0d473
	https://git.kernel.org/stable/c/eb4687c7442942e115420a30185f8d83faf37696
	https://git.kernel.org/stable/c/8b8e6e782456f1ce02a7ae914bbd5b1053f0b034