Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2023 / CVE-2023-53026.json
blob: b2fa5bc7fb98e3b85bc0df5a11ebd6e82db0d63a [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix ib block iterator counter overflow\n\nWhen registering a new DMA MR after selecting the best aligned page size\nfor it, we iterate over the given sglist to split each entry to smaller,\naligned to the selected page size, DMA blocks.\n\nIn given circumstances where the sg entry and page size fit certain\nsizes and the sg entry is not aligned to the selected page size, the\ntotal size of the aligned pages we need to cover the sg entry is >= 4GB.\nUnder this circumstances, while iterating page aligned blocks, the\ncounter responsible for counting how much we advanced from the start of\nthe sg entry is overflowed because its type is u32 and we pass 4GB in\nsize. This can lead to an infinite loop inside the iterator function\nbecause the overflow prevents the counter to be larger\nthan the size of the sg entry.\n\nFix the presented problem by changing the advancement condition to\neliminate overflow.\n\nBacktrace:\n[ 192.374329] efa_reg_user_mr_dmabuf\n[ 192.376783] efa_register_mr\n[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000\n[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]\n[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3\n[ 192.399559] hp_cnt[3], pages_in_hp[524288]\n[ 192.403690] umem->sgt_append.sgt.nents[1]\n[ 192.407905] number entries: [1], pg_bit: [31]\n[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]\n[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]\n[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"versions": [
{
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"lessThan": "902063a9fea5f8252df392ade746bc9cfd07a5ae",
"status": "affected",
"versionType": "git"
},
{
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"lessThan": "d66c1d4178c219b6e7d7a6f714e3e3656faccc36",
"status": "affected",
"versionType": "git"
},
{
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"lessThan": "362c9489720b31b6aa7491423ba65a4e98aa9838",
"status": "affected",
"versionType": "git"
},
{
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"lessThan": "43811d07ea64366af8ec9e168c558ec51440c39e",
"status": "affected",
"versionType": "git"
},
{
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"lessThan": "0afec5e9cea732cb47014655685a2a47fb180c31",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"versions": [
{
"version": "5.2",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.2",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.231",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.166",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.91",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.9",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.2",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2",
"versionEndExcluding": "5.4.231"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2",
"versionEndExcluding": "5.10.166"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2",
"versionEndExcluding": "5.15.91"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2",
"versionEndExcluding": "6.1.9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2",
"versionEndExcluding": "6.2"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/902063a9fea5f8252df392ade746bc9cfd07a5ae"
},
{
"url": "https://git.kernel.org/stable/c/d66c1d4178c219b6e7d7a6f714e3e3656faccc36"
},
{
"url": "https://git.kernel.org/stable/c/362c9489720b31b6aa7491423ba65a4e98aa9838"
},
{
"url": "https://git.kernel.org/stable/c/43811d07ea64366af8ec9e168c558ec51440c39e"
},
{
"url": "https://git.kernel.org/stable/c/0afec5e9cea732cb47014655685a2a47fb180c31"
}
],
"title": "RDMA/core: Fix ib block iterator counter overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2023-53026",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}