cve/published/2024/CVE-2024-38556.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38556: net/mlx5: Add a timeout to acquire the command queue semaphore

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5: Add a timeout to acquire the command queue semaphore

 Prevent forced completion handling on an entry that has not yet been
 assigned an index, causing an out of bounds access on idx = -22.
 Instead of waiting indefinitely for the sem, blocking flow now waits for
 index to be allocated or a sem acquisition timeout before beginning the
 timer for FW completion.

 Kernel log example:
 mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion

 The Linux kernel CVE team has assigned CVE-2024-38556 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.1.93 with commit 4baae687a20ef2b82fde12de3c04461e6f2521d6
 	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.6.33 with commit f9caccdd42e999b74303c9b0643300073ed5d319
 	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.8.12 with commit 2d0962d05c93de391ce85f6e764df895f47c8918
 	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.9.3 with commit 94024332a129c6e4275569d85c0c1bfb2ae2d71b
 	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.10 with commit 485d65e1357123a697c591a5aeb773994b247ad7
 	Issue introduced in 5.4.174 with commit 74dd45122b84479eee50bd0956ae8bc5799c9f8a
 	Issue introduced in 5.10.94 with commit e801f81cee3c8901f52ee48c6329802b28fbb49c
 	Issue introduced in 5.15.17 with commit d73d81447c6651904dd4a9e3fd88651ff174c1b7
 	Issue introduced in 5.16.3 with commit 4646175c19fd019b773444a11ff62748eb83745b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38556
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/cmd.c
 	include/linux/mlx5/driver.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6
 	https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319
 	https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918
 	https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b
 	https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38556: net/mlx5: Add a timeout to acquire the command queue semaphore

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5: Add a timeout to acquire the command queue semaphore

	Prevent forced completion handling on an entry that has not yet been
	assigned an index, causing an out of bounds access on idx = -22.
	Instead of waiting indefinitely for the sem, blocking flow now waits for
	index to be allocated or a sem acquisition timeout before beginning the
	timer for FW completion.

	Kernel log example:
	mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion

	The Linux kernel CVE team has assigned CVE-2024-38556 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.1.93 with commit 4baae687a20ef2b82fde12de3c04461e6f2521d6
	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.6.33 with commit f9caccdd42e999b74303c9b0643300073ed5d319
	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.8.12 with commit 2d0962d05c93de391ce85f6e764df895f47c8918
	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.9.3 with commit 94024332a129c6e4275569d85c0c1bfb2ae2d71b
	Issue introduced in 5.17 with commit 8e715cd613a1e872b9d918e912d90b399785761a and fixed in 6.10 with commit 485d65e1357123a697c591a5aeb773994b247ad7
	Issue introduced in 5.4.174 with commit 74dd45122b84479eee50bd0956ae8bc5799c9f8a
	Issue introduced in 5.10.94 with commit e801f81cee3c8901f52ee48c6329802b28fbb49c
	Issue introduced in 5.15.17 with commit d73d81447c6651904dd4a9e3fd88651ff174c1b7
	Issue introduced in 5.16.3 with commit 4646175c19fd019b773444a11ff62748eb83745b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38556
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/cmd.c
	include/linux/mlx5/driver.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6
	https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319
	https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918
	https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b
	https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7