cve/published/2024/CVE-2024-44976.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44976: ata: pata_macio: Fix DMA table overflow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ata: pata_macio: Fix DMA table overflow

 Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing
 in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix
 max_segment_size with PAGE_SIZE == 64K").

 For example:

   kernel BUG at drivers/ata/pata_macio.c:544!
   Oops: Exception in kernel mode, sig: 5 [#1]
   BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac
   ...
   NIP pata_macio_qc_prep+0xf4/0x190
   LR  pata_macio_qc_prep+0xfc/0x190
   Call Trace:
     0xc1421660 (unreliable)
     ata_qc_issue+0x14c/0x2d4
     __ata_scsi_queuecmd+0x200/0x53c
     ata_scsi_queuecmd+0x50/0xe0
     scsi_queue_rq+0x788/0xb1c
     __blk_mq_issue_directly+0x58/0xf4
     blk_mq_plug_issue_direct+0x8c/0x1b4
     blk_mq_flush_plug_list.part.0+0x584/0x5e0
     __blk_flush_plug+0xf8/0x194
     __submit_bio+0x1b8/0x2e0
     submit_bio_noacct_nocheck+0x230/0x304
     btrfs_work_helper+0x200/0x338
     process_one_work+0x1a8/0x338
     worker_thread+0x364/0x4c0
     kthread+0x100/0x104
     start_kernel_thread+0x10/0x14

 That commit increased max_segment_size to 64KB, with the justification
 that the SCSI core was already using that size when PAGE_SIZE == 64KB,
 and that there was existing logic to split over-sized requests.

 However with a sufficiently large request, the splitting logic causes
 each sg to be split into two commands in the DMA table, leading to
 overflow of the DMA table, triggering the BUG_ON().

 With default settings the bug doesn't trigger, because the request size
 is limited by max_sectors_kb == 1280, however max_sectors_kb can be
 increased, and apparently some distros do that by default using udev
 rules.

 Fix the bug for 4KB kernels by reverting to the old max_segment_size.

 For 64KB kernels the sg_tablesize needs to be halved, to allow for the
 possibility that each sg will be split into two.

 The Linux kernel CVE team has assigned CVE-2024-44976 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.10 with commit 09fe2bfa6b83f865126ce3964744863f69a4a030 and fixed in 6.10.7 with commit 709e4c8f78e156ab332297bdd87527ec3da4e2d4
 	Issue introduced in 6.10 with commit 09fe2bfa6b83f865126ce3964744863f69a4a030 and fixed in 6.11 with commit 822c8020aebcf5804a143b891e34f29873fee5e2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44976
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ata/pata_macio.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/709e4c8f78e156ab332297bdd87527ec3da4e2d4
 	https://git.kernel.org/stable/c/822c8020aebcf5804a143b891e34f29873fee5e2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44976: ata: pata_macio: Fix DMA table overflow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ata: pata_macio: Fix DMA table overflow

	Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing
	in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix
	max_segment_size with PAGE_SIZE == 64K").

	For example:

	kernel BUG at drivers/ata/pata_macio.c:544!
	Oops: Exception in kernel mode, sig: 5 [#1]
	BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac
	...
	NIP pata_macio_qc_prep+0xf4/0x190
	LR pata_macio_qc_prep+0xfc/0x190
	Call Trace:
	0xc1421660 (unreliable)
	ata_qc_issue+0x14c/0x2d4
	__ata_scsi_queuecmd+0x200/0x53c
	ata_scsi_queuecmd+0x50/0xe0
	scsi_queue_rq+0x788/0xb1c
	__blk_mq_issue_directly+0x58/0xf4
	blk_mq_plug_issue_direct+0x8c/0x1b4
	blk_mq_flush_plug_list.part.0+0x584/0x5e0
	__blk_flush_plug+0xf8/0x194
	__submit_bio+0x1b8/0x2e0
	submit_bio_noacct_nocheck+0x230/0x304
	btrfs_work_helper+0x200/0x338
	process_one_work+0x1a8/0x338
	worker_thread+0x364/0x4c0
	kthread+0x100/0x104
	start_kernel_thread+0x10/0x14

	That commit increased max_segment_size to 64KB, with the justification
	that the SCSI core was already using that size when PAGE_SIZE == 64KB,
	and that there was existing logic to split over-sized requests.

	However with a sufficiently large request, the splitting logic causes
	each sg to be split into two commands in the DMA table, leading to
	overflow of the DMA table, triggering the BUG_ON().

	With default settings the bug doesn't trigger, because the request size
	is limited by max_sectors_kb == 1280, however max_sectors_kb can be
	increased, and apparently some distros do that by default using udev
	rules.

	Fix the bug for 4KB kernels by reverting to the old max_segment_size.

	For 64KB kernels the sg_tablesize needs to be halved, to allow for the
	possibility that each sg will be split into two.

	The Linux kernel CVE team has assigned CVE-2024-44976 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.10 with commit 09fe2bfa6b83f865126ce3964744863f69a4a030 and fixed in 6.10.7 with commit 709e4c8f78e156ab332297bdd87527ec3da4e2d4
	Issue introduced in 6.10 with commit 09fe2bfa6b83f865126ce3964744863f69a4a030 and fixed in 6.11 with commit 822c8020aebcf5804a143b891e34f29873fee5e2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44976
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ata/pata_macio.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/709e4c8f78e156ab332297bdd87527ec3da4e2d4
	https://git.kernel.org/stable/c/822c8020aebcf5804a143b891e34f29873fee5e2