| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-42145: IB/core: Implement a limit on UMAD receive List |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| IB/core: Implement a limit on UMAD receive List |
| |
| The existing behavior of ib_umad, which maintains received MAD |
| packets in an unbounded list, poses a risk of uncontrolled growth. |
| As user-space applications extract packets from this list, the rate |
| of extraction may not match the rate of incoming packets, leading |
| to potential list overflow. |
| |
| To address this, we introduce a limit to the size of the list. After |
| considering typical scenarios, such as OpenSM processing, which can |
| handle approximately 100k packets per second, and the 1-second retry |
| timeout for most packets, we set the list size limit to 200k. Packets |
| received beyond this limit are dropped, assuming they are likely timed |
| out by the time they are handled by user-space. |
| |
| Notably, packets queued on the receive list due to reasons like |
| timed-out sends are preserved even when the list is full. |
| |
| The Linux kernel CVE team has assigned CVE-2024-42145 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.19.318 with commit 1288cf1cceb0e6df276e182f5412370fb4169bcb |
| Fixed in 5.4.280 with commit b4913702419d064ec4c4bbf7270643c95cc89a1b |
| Fixed in 5.10.222 with commit 62349fbf86b5e13b02721bdadf98c29afd1e7b5f |
| Fixed in 5.15.163 with commit d73cb8862e4d6760ccc94d3b57b9ef6271400607 |
| Fixed in 6.1.98 with commit 63d202d948bb6d3a28cd8e8b96b160fa53e18baa |
| Fixed in 6.6.39 with commit b8c5f635997f49c625178d1a0cb32a80ed33abe6 |
| Fixed in 6.9.9 with commit a6627fba793cc75b7365d9504a0095fb2902dda4 |
| Fixed in 6.10 with commit ca0b44e20a6f3032224599f02e7c8fb49525c894 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-42145 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/infiniband/core/user_mad.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1288cf1cceb0e6df276e182f5412370fb4169bcb |
| https://git.kernel.org/stable/c/b4913702419d064ec4c4bbf7270643c95cc89a1b |
| https://git.kernel.org/stable/c/62349fbf86b5e13b02721bdadf98c29afd1e7b5f |
| https://git.kernel.org/stable/c/d73cb8862e4d6760ccc94d3b57b9ef6271400607 |
| https://git.kernel.org/stable/c/63d202d948bb6d3a28cd8e8b96b160fa53e18baa |
| https://git.kernel.org/stable/c/b8c5f635997f49c625178d1a0cb32a80ed33abe6 |
| https://git.kernel.org/stable/c/a6627fba793cc75b7365d9504a0095fb2902dda4 |
| https://git.kernel.org/stable/c/ca0b44e20a6f3032224599f02e7c8fb49525c894 |
