cve/published/2023/CVE-2023-52745.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52745: IB/IPoIB: Fix legacy IPoIB due to wrong number of queues

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 IB/IPoIB: Fix legacy IPoIB due to wrong number of queues

 The cited commit creates child PKEY interfaces over netlink will
 multiple tx and rx queues, but some devices doesn't support more than 1
 tx and 1 rx queues. This causes to a crash when traffic is sent over the
 PKEY interface due to the parent having a single queue but the child
 having multiple queues.

 This patch fixes the number of queues to 1 for legacy IPoIB at the
 earliest possible point in time.

 BUG: kernel NULL pointer dereference, address: 000000000000036b
 PGD 0 P4D 0
 Oops: 0000 [#1] SMP
 CPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 RIP: 0010:kmem_cache_alloc+0xcb/0x450
 Code: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a
 01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b
 RSP: 0018:ffff88822acbbab8 EFLAGS: 00010202
 RAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae
 RDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00
 RBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40
 R10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000
 R13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000
 FS:  00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  skb_clone+0x55/0xd0
  ip6_finish_output2+0x3fe/0x690
  ip6_finish_output+0xfa/0x310
  ip6_send_skb+0x1e/0x60
  udp_v6_send_skb+0x1e5/0x420
  udpv6_sendmsg+0xb3c/0xe60
  ? ip_mc_finish_output+0x180/0x180
  ? __switch_to_asm+0x3a/0x60
  ? __switch_to_asm+0x34/0x60
  sock_sendmsg+0x33/0x40
  __sys_sendto+0x103/0x160
  ? _copy_to_user+0x21/0x30
  ? kvm_clock_get_cycles+0xd/0x10
  ? ktime_get_ts64+0x49/0xe0
  __x64_sys_sendto+0x25/0x30
  do_syscall_64+0x3d/0x90
  entry_SYSCALL_64_after_hwframe+0x46/0xb0
 RIP: 0033:0x7f9374f1ed14
 Code: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b
 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b
 RSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14
 RDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030
 RBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c
 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
 R13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc
  </TASK>

 The Linux kernel CVE team has assigned CVE-2023-52745 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.229 with commit d4bf3fcccd188db9f3310d93472041cdefba97bf and fixed in 5.4.232 with commit 4a779187db39b2f32d048a752573e56e4e77807f
 	Issue introduced in 5.10.163 with commit d21714134505bc23daa0455b295f3b63730b3b42 and fixed in 5.10.168 with commit b1afb666c32931667c15ad1b58e7203f0119dcaf
 	Issue introduced in 5.15.86 with commit ca48174a7643a7e6dd31c4338c5cde49552e138e and fixed in 5.15.94 with commit 1b4ef90cbcfa603b3bb536fbd6f261197012b6f6
 	Issue introduced in 6.1.2 with commit ee0e9b2c4b9c35837553124b4912230a7e7c7212 and fixed in 6.1.12 with commit 7197460dcd43ff0e4a502ba855dd82d37c2848cc
 	Issue introduced in 4.9.337 with commit 2aecfec735f16f99c059db956edfd95a32458d22
 	Issue introduced in 4.14.303 with commit 8fa3ee8ef185eb3e8be44f282721b05a03e6f888
 	Issue introduced in 4.19.270 with commit bc2f5760b47cba4a76be9371806f8f10fccf71a9
 	Issue introduced in 6.0.16 with commit bab775fa9c4f4b4da30c9cc99be4bec19fb01659

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52745
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/ulp/ipoib/ipoib_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f
 	https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf
 	https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6
 	https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc
 	https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52745: IB/IPoIB: Fix legacy IPoIB due to wrong number of queues

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	IB/IPoIB: Fix legacy IPoIB due to wrong number of queues

	The cited commit creates child PKEY interfaces over netlink will
	multiple tx and rx queues, but some devices doesn't support more than 1
	tx and 1 rx queues. This causes to a crash when traffic is sent over the
	PKEY interface due to the parent having a single queue but the child
	having multiple queues.

	This patch fixes the number of queues to 1 for legacy IPoIB at the
	earliest possible point in time.

	BUG: kernel NULL pointer dereference, address: 000000000000036b
	PGD 0 P4D 0
	Oops: 0000 [#1] SMP
	CPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
	RIP: 0010:kmem_cache_alloc+0xcb/0x450
	Code: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a
	01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b
	RSP: 0018:ffff88822acbbab8 EFLAGS: 00010202
	RAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae
	RDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00
	RBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40
	R10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000
	R13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000
	FS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	skb_clone+0x55/0xd0
	ip6_finish_output2+0x3fe/0x690
	ip6_finish_output+0xfa/0x310
	ip6_send_skb+0x1e/0x60
	udp_v6_send_skb+0x1e5/0x420
	udpv6_sendmsg+0xb3c/0xe60
	? ip_mc_finish_output+0x180/0x180
	? __switch_to_asm+0x3a/0x60
	? __switch_to_asm+0x34/0x60
	sock_sendmsg+0x33/0x40
	__sys_sendto+0x103/0x160
	? _copy_to_user+0x21/0x30
	? kvm_clock_get_cycles+0xd/0x10
	? ktime_get_ts64+0x49/0xe0
	__x64_sys_sendto+0x25/0x30
	do_syscall_64+0x3d/0x90
	entry_SYSCALL_64_after_hwframe+0x46/0xb0
	RIP: 0033:0x7f9374f1ed14
	Code: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b
	7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b
	RSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
	RAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14
	RDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030
	RBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c
	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
	R13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc
	</TASK>

	The Linux kernel CVE team has assigned CVE-2023-52745 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.229 with commit d4bf3fcccd188db9f3310d93472041cdefba97bf and fixed in 5.4.232 with commit 4a779187db39b2f32d048a752573e56e4e77807f
	Issue introduced in 5.10.163 with commit d21714134505bc23daa0455b295f3b63730b3b42 and fixed in 5.10.168 with commit b1afb666c32931667c15ad1b58e7203f0119dcaf
	Issue introduced in 5.15.86 with commit ca48174a7643a7e6dd31c4338c5cde49552e138e and fixed in 5.15.94 with commit 1b4ef90cbcfa603b3bb536fbd6f261197012b6f6
	Issue introduced in 6.1.2 with commit ee0e9b2c4b9c35837553124b4912230a7e7c7212 and fixed in 6.1.12 with commit 7197460dcd43ff0e4a502ba855dd82d37c2848cc
	Issue introduced in 4.9.337 with commit 2aecfec735f16f99c059db956edfd95a32458d22
	Issue introduced in 4.14.303 with commit 8fa3ee8ef185eb3e8be44f282721b05a03e6f888
	Issue introduced in 4.19.270 with commit bc2f5760b47cba4a76be9371806f8f10fccf71a9
	Issue introduced in 6.0.16 with commit bab775fa9c4f4b4da30c9cc99be4bec19fb01659

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52745
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/ulp/ipoib/ipoib_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4a779187db39b2f32d048a752573e56e4e77807f
	https://git.kernel.org/stable/c/b1afb666c32931667c15ad1b58e7203f0119dcaf
	https://git.kernel.org/stable/c/1b4ef90cbcfa603b3bb536fbd6f261197012b6f6
	https://git.kernel.org/stable/c/7197460dcd43ff0e4a502ba855dd82d37c2848cc
	https://git.kernel.org/stable/c/e632291a2dbce45a24cddeb5fe28fe71d724ba43