cve/published/2024/CVE-2024-26766.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26766: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

 Unfortunately the commit `fd8958efe877` introduced another error
 causing the `descs` array to overflow. This reults in further crashes
 easily reproducible by `sendmsg` system call.

 [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
 [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
 --
 [ 1080.974535] Call Trace:
 [ 1080.976990]  <TASK>
 [ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
 [ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
 [ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]
 [ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
 [ 1081.046978]  dev_hard_start_xmit+0xc4/0x210
 --
 [ 1081.148347]  __sys_sendmsg+0x59/0xa0

 crash> ipoib_txreq 0xffff9cfeba229f00
 struct ipoib_txreq {
   txreq = {
     list = {
       next = 0xffff9cfeba229f00,
       prev = 0xffff9cfeba229f00
     },
     descp = 0xffff9cfeba229f40,
     coalesce_buf = 0x0,
     wait = 0xffff9cfea4e69a48,
     complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
     packet_len = 0x46d,
     tlen = 0x0,
     num_desc = 0x0,
     desc_limit = 0x6,
     next_descq_idx = 0x45c,
     coalesce_idx = 0x0,
     flags = 0x0,
     descs = {{
         qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
       }, {
         qw = {  0x3800014231b108, 0x4}
       }, {
         qw = { 0x310000e4ee0fcf0, 0x8}
       }, {
         qw = {  0x3000012e9f8000, 0x8}
       }, {
         qw = {  0x59000dfb9d0000, 0x8}
       }, {
         qw = {  0x78000e02e40000, 0x8}
       }}
   },
   sdma_hdr =  0x400300015528b000,  <<< invalid pointer in the tx request structure
   sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)
   complete = 0x0,
   priv = 0x0,
   txq = 0xffff9cfea4e69880,
   skb = 0xffff9d099809f400
 }

 If an SDMA send consists of exactly 6 descriptors and requires dword
 padding (in the 7th descriptor), the sdma_txreq descriptor array is not
 properly expanded and the packet will overflow into the container
 structure. This results in a panic when the send completion runs. The
 exact panic varies depending on what elements of the container structure
 get corrupted. The fix is to use the correct expression in
 _pad_sdma_tx_descs() to test the need to expand the descriptor array.

 With this patch the crashes are no longer reproducible and the machine is
 stable.

 The Linux kernel CVE team has assigned CVE-2024-26766 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.291 with commit d1c1ee052d25ca23735eea912f843bc7834781b4 and fixed in 4.19.308 with commit 115b7f3bc1dce590a6851a2dcf23dc1100c49790
 	Issue introduced in 5.4.251 with commit 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 and fixed in 5.4.270 with commit 5833024a9856f454a964a198c63a57e59e07baf5
 	Issue introduced in 5.10.188 with commit 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 and fixed in 5.10.211 with commit 3f38d22e645e2e994979426ea5a35186102ff3c2
 	Issue introduced in 5.15.99 with commit bd57756a7e43c7127d0eca1fc5868e705fd0f7ba and fixed in 5.15.150 with commit 47ae64df23ed1318e27bd9844e135a5e1c0e6e39
 	Issue introduced in 6.1.16 with commit eeaf35f4e3b360162081de5e744cf32d6d1b0091 and fixed in 6.1.80 with commit 52dc9a7a573dbf778625a0efca0fca55489f084b
 	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.6.19 with commit a2fef1d81becf4ff60e1a249477464eae3c3bc2a
 	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.7.7 with commit 9034a1bec35e9f725315a3bb6002ef39666114d9
 	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.8 with commit e6f57c6881916df39db7d95981a8ad2b9c3458d6
 	Issue introduced in 6.2.3 with commit 0ef9594936d1f078e8599a1cf683b052df2bec00

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26766
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/hw/hfi1/sdma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
 	https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
 	https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
 	https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
 	https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
 	https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
 	https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
 	https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26766: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

	Unfortunately the commit `fd8958efe877` introduced another error
	causing the `descs` array to overflow. This reults in further crashes
	easily reproducible by `sendmsg` system call.

	[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
	[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
	--
	[ 1080.974535] Call Trace:
	[ 1080.976990] <TASK>
	[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
	[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
	[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
	[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
	[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
	--
	[ 1081.148347] __sys_sendmsg+0x59/0xa0

	crash> ipoib_txreq 0xffff9cfeba229f00
	struct ipoib_txreq {
	txreq = {
	list = {
	next = 0xffff9cfeba229f00,
	prev = 0xffff9cfeba229f00
	},
	descp = 0xffff9cfeba229f40,
	coalesce_buf = 0x0,
	wait = 0xffff9cfea4e69a48,
	complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
	packet_len = 0x46d,
	tlen = 0x0,
	num_desc = 0x0,
	desc_limit = 0x6,
	next_descq_idx = 0x45c,
	coalesce_idx = 0x0,
	flags = 0x0,
	descs = {{
	qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
	}, {
	qw = { 0x3800014231b108, 0x4}
	}, {
	qw = { 0x310000e4ee0fcf0, 0x8}
	}, {
	qw = { 0x3000012e9f8000, 0x8}
	}, {
	qw = { 0x59000dfb9d0000, 0x8}
	}, {
	qw = { 0x78000e02e40000, 0x8}
	}}
	},
	sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
	sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
	complete = 0x0,
	priv = 0x0,
	txq = 0xffff9cfea4e69880,
	skb = 0xffff9d099809f400
	}

	If an SDMA send consists of exactly 6 descriptors and requires dword
	padding (in the 7th descriptor), the sdma_txreq descriptor array is not
	properly expanded and the packet will overflow into the container
	structure. This results in a panic when the send completion runs. The
	exact panic varies depending on what elements of the container structure
	get corrupted. The fix is to use the correct expression in
	_pad_sdma_tx_descs() to test the need to expand the descriptor array.

	With this patch the crashes are no longer reproducible and the machine is
	stable.

	The Linux kernel CVE team has assigned CVE-2024-26766 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.291 with commit d1c1ee052d25ca23735eea912f843bc7834781b4 and fixed in 4.19.308 with commit 115b7f3bc1dce590a6851a2dcf23dc1100c49790
	Issue introduced in 5.4.251 with commit 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 and fixed in 5.4.270 with commit 5833024a9856f454a964a198c63a57e59e07baf5
	Issue introduced in 5.10.188 with commit 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 and fixed in 5.10.211 with commit 3f38d22e645e2e994979426ea5a35186102ff3c2
	Issue introduced in 5.15.99 with commit bd57756a7e43c7127d0eca1fc5868e705fd0f7ba and fixed in 5.15.150 with commit 47ae64df23ed1318e27bd9844e135a5e1c0e6e39
	Issue introduced in 6.1.16 with commit eeaf35f4e3b360162081de5e744cf32d6d1b0091 and fixed in 6.1.80 with commit 52dc9a7a573dbf778625a0efca0fca55489f084b
	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.6.19 with commit a2fef1d81becf4ff60e1a249477464eae3c3bc2a
	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.7.7 with commit 9034a1bec35e9f725315a3bb6002ef39666114d9
	Issue introduced in 6.3 with commit fd8958efe8779d3db19c9124fce593ce681ac709 and fixed in 6.8 with commit e6f57c6881916df39db7d95981a8ad2b9c3458d6
	Issue introduced in 6.2.3 with commit 0ef9594936d1f078e8599a1cf683b052df2bec00

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26766
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/hw/hfi1/sdma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
	https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
	https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
	https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
	https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
	https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
	https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
	https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6