cve/published/2022/CVE-2022-49722.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49722: ice: Fix memory corruption in VF driver

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ice: Fix memory corruption in VF driver

 Disable VF's RX/TX queues, when it's disabled. VF can have queues enabled,
 when it requests a reset. If PF driver assumes that VF is disabled,
 while VF still has queues configured, VF may unmap DMA resources.
 In such scenario device still can map packets to memory, which ends up
 silently corrupting it.
 Previously, VF driver could experience memory corruption, which lead to
 crash:
 [ 5119.170157] BUG: unable to handle kernel paging request at 00001b9780003237
 [ 5119.170166] PGD 0 P4D 0
 [ 5119.170173] Oops: 0002 [#1] PREEMPT_RT SMP PTI
 [ 5119.170181] CPU: 30 PID: 427592 Comm: kworker/u96:2 Kdump: loaded Tainted: G        W I      --------- -  - 4.18.0-372.9.1.rt7.166.el8.x86_64 #1
 [ 5119.170189] Hardware name: Dell Inc. PowerEdge R740/014X06, BIOS 2.3.10 08/15/2019
 [ 5119.170193] Workqueue: iavf iavf_adminq_task [iavf]
 [ 5119.170219] RIP: 0010:__page_frag_cache_drain+0x5/0x30
 [ 5119.170238] Code: 0f 0f b6 77 51 85 f6 74 07 31 d2 e9 05 df ff ff e9 90 fe ff ff 48 8b 05 49 db 33 01 eb b4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <f0> 29 77 34 74 01 c3 48 8b 07 f6 c4 80 74 0f 0f b6 77 51 85 f6 74
 [ 5119.170244] RSP: 0018:ffffa43b0bdcfd78 EFLAGS: 00010282
 [ 5119.170250] RAX: ffffffff896b3e40 RBX: ffff8fb282524000 RCX: 0000000000000002
 [ 5119.170254] RDX: 0000000049000000 RSI: 0000000000000000 RDI: 00001b9780003203
 [ 5119.170259] RBP: ffff8fb248217b00 R08: 0000000000000022 R09: 0000000000000009
 [ 5119.170262] R10: 2b849d6300000000 R11: 0000000000000020 R12: 0000000000000000
 [ 5119.170265] R13: 0000000000001000 R14: 0000000000000009 R15: 0000000000000000
 [ 5119.170269] FS:  0000000000000000(0000) GS:ffff8fb1201c0000(0000) knlGS:0000000000000000
 [ 5119.170274] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [ 5119.170279] CR2: 00001b9780003237 CR3: 00000008f3e1a003 CR4: 00000000007726e0
 [ 5119.170283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [ 5119.170286] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [ 5119.170290] PKRU: 55555554
 [ 5119.170292] Call Trace:
 [ 5119.170298]  iavf_clean_rx_ring+0xad/0x110 [iavf]
 [ 5119.170324]  iavf_free_rx_resources+0xe/0x50 [iavf]
 [ 5119.170342]  iavf_free_all_rx_resources.part.51+0x30/0x40 [iavf]
 [ 5119.170358]  iavf_virtchnl_completion+0xd8a/0x15b0 [iavf]
 [ 5119.170377]  ? iavf_clean_arq_element+0x210/0x280 [iavf]
 [ 5119.170397]  iavf_adminq_task+0x126/0x2e0 [iavf]
 [ 5119.170416]  process_one_work+0x18f/0x420
 [ 5119.170429]  worker_thread+0x30/0x370
 [ 5119.170437]  ? process_one_work+0x420/0x420
 [ 5119.170445]  kthread+0x151/0x170
 [ 5119.170452]  ? set_kthread_struct+0x40/0x40
 [ 5119.170460]  ret_from_fork+0x35/0x40
 [ 5119.170477] Modules linked in: iavf sctp ip6_udp_tunnel udp_tunnel mlx4_en mlx4_core nfp tls vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support dell_smbios wmi_bmof dell_wmi_descriptor dcdbas kvm_intel kvm irqbypass intel_rapl_common isst_if_common skx_edac irdma nfit libnvdimm x86_pkg_temp_thermal i40e intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ib_uverbs rapl ipmi_ssif intel_cstate intel_uncore mei_me pcspkr acpi_ipmi ib_core mei lpc_ich i2c_i801 ipmi_si ipmi_devintf wmi ipmi_msghandler acpi_power_meter xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ice ahci drm libahci crc32c_intel libata tg3 megaraid_sas
 [ 5119.170613]  i2c_algo_bit dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: iavf]
 [ 5119.170627] CR2: 00001b9780003237

 The Linux kernel CVE team has assigned CVE-2022-49722 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48 and fixed in 5.18.6 with commit 1bb8253b1dd44cf004e12c333acc6f25ee286cf3
 	Issue introduced in 5.5 with commit ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48 and fixed in 5.19 with commit efe41860008e57fb6b69855b4b93fdf34bc42798

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49722
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/ice/ice_vf_lib.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1bb8253b1dd44cf004e12c333acc6f25ee286cf3
 	https://git.kernel.org/stable/c/efe41860008e57fb6b69855b4b93fdf34bc42798
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49722: ice: Fix memory corruption in VF driver

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ice: Fix memory corruption in VF driver

	Disable VF's RX/TX queues, when it's disabled. VF can have queues enabled,
	when it requests a reset. If PF driver assumes that VF is disabled,
	while VF still has queues configured, VF may unmap DMA resources.
	In such scenario device still can map packets to memory, which ends up
	silently corrupting it.
	Previously, VF driver could experience memory corruption, which lead to
	crash:
	[ 5119.170157] BUG: unable to handle kernel paging request at 00001b9780003237
	[ 5119.170166] PGD 0 P4D 0
	[ 5119.170173] Oops: 0002 [#1] PREEMPT_RT SMP PTI
	[ 5119.170181] CPU: 30 PID: 427592 Comm: kworker/u96:2 Kdump: loaded Tainted: G W I --------- - - 4.18.0-372.9.1.rt7.166.el8.x86_64 #1
	[ 5119.170189] Hardware name: Dell Inc. PowerEdge R740/014X06, BIOS 2.3.10 08/15/2019
	[ 5119.170193] Workqueue: iavf iavf_adminq_task [iavf]
	[ 5119.170219] RIP: 0010:__page_frag_cache_drain+0x5/0x30
	[ 5119.170238] Code: 0f 0f b6 77 51 85 f6 74 07 31 d2 e9 05 df ff ff e9 90 fe ff ff 48 8b 05 49 db 33 01 eb b4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <f0> 29 77 34 74 01 c3 48 8b 07 f6 c4 80 74 0f 0f b6 77 51 85 f6 74
	[ 5119.170244] RSP: 0018:ffffa43b0bdcfd78 EFLAGS: 00010282
	[ 5119.170250] RAX: ffffffff896b3e40 RBX: ffff8fb282524000 RCX: 0000000000000002
	[ 5119.170254] RDX: 0000000049000000 RSI: 0000000000000000 RDI: 00001b9780003203
	[ 5119.170259] RBP: ffff8fb248217b00 R08: 0000000000000022 R09: 0000000000000009
	[ 5119.170262] R10: 2b849d6300000000 R11: 0000000000000020 R12: 0000000000000000
	[ 5119.170265] R13: 0000000000001000 R14: 0000000000000009 R15: 0000000000000000
	[ 5119.170269] FS: 0000000000000000(0000) GS:ffff8fb1201c0000(0000) knlGS:0000000000000000
	[ 5119.170274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 5119.170279] CR2: 00001b9780003237 CR3: 00000008f3e1a003 CR4: 00000000007726e0
	[ 5119.170283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	[ 5119.170286] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	[ 5119.170290] PKRU: 55555554
	[ 5119.170292] Call Trace:
	[ 5119.170298] iavf_clean_rx_ring+0xad/0x110 [iavf]
	[ 5119.170324] iavf_free_rx_resources+0xe/0x50 [iavf]
	[ 5119.170342] iavf_free_all_rx_resources.part.51+0x30/0x40 [iavf]
	[ 5119.170358] iavf_virtchnl_completion+0xd8a/0x15b0 [iavf]
	[ 5119.170377] ? iavf_clean_arq_element+0x210/0x280 [iavf]
	[ 5119.170397] iavf_adminq_task+0x126/0x2e0 [iavf]
	[ 5119.170416] process_one_work+0x18f/0x420
	[ 5119.170429] worker_thread+0x30/0x370
	[ 5119.170437] ? process_one_work+0x420/0x420
	[ 5119.170445] kthread+0x151/0x170
	[ 5119.170452] ? set_kthread_struct+0x40/0x40
	[ 5119.170460] ret_from_fork+0x35/0x40
	[ 5119.170477] Modules linked in: iavf sctp ip6_udp_tunnel udp_tunnel mlx4_en mlx4_core nfp tls vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support dell_smbios wmi_bmof dell_wmi_descriptor dcdbas kvm_intel kvm irqbypass intel_rapl_common isst_if_common skx_edac irdma nfit libnvdimm x86_pkg_temp_thermal i40e intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ib_uverbs rapl ipmi_ssif intel_cstate intel_uncore mei_me pcspkr acpi_ipmi ib_core mei lpc_ich i2c_i801 ipmi_si ipmi_devintf wmi ipmi_msghandler acpi_power_meter xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ice ahci drm libahci crc32c_intel libata tg3 megaraid_sas
	[ 5119.170613] i2c_algo_bit dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: iavf]
	[ 5119.170627] CR2: 00001b9780003237

	The Linux kernel CVE team has assigned CVE-2022-49722 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48 and fixed in 5.18.6 with commit 1bb8253b1dd44cf004e12c333acc6f25ee286cf3
	Issue introduced in 5.5 with commit ec4f5a436bdf0e5453ad15c4f34a59b9b675ff48 and fixed in 5.19 with commit efe41860008e57fb6b69855b4b93fdf34bc42798

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49722
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/ice/ice_vf_lib.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1bb8253b1dd44cf004e12c333acc6f25ee286cf3
	https://git.kernel.org/stable/c/efe41860008e57fb6b69855b4b93fdf34bc42798