| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26907: RDMA/mlx5: Fix fortify source warning while accessing Eth segment |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| RDMA/mlx5: Fix fortify source warning while accessing Eth segment |
| |
| ------------[ cut here ]------------ |
| memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) |
| WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] |
| Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy |
| [last unloaded: mlx_compat(OE)] |
| CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu |
| Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 |
| RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] |
| Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 |
| RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 |
| RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 |
| RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 |
| RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 |
| R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 |
| FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 |
| DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| Call Trace: |
| <TASK> |
| ? show_regs+0x72/0x90 |
| ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] |
| ? __warn+0x8d/0x160 |
| ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] |
| ? report_bug+0x1bb/0x1d0 |
| ? handle_bug+0x46/0x90 |
| ? exc_invalid_op+0x19/0x80 |
| ? asm_exc_invalid_op+0x1b/0x20 |
| ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] |
| mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] |
| ipoib_send+0x2ec/0x770 [ib_ipoib] |
| ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] |
| dev_hard_start_xmit+0x8e/0x1e0 |
| ? validate_xmit_skb_list+0x4d/0x80 |
| sch_direct_xmit+0x116/0x3a0 |
| __dev_xmit_skb+0x1fd/0x580 |
| __dev_queue_xmit+0x284/0x6b0 |
| ? _raw_spin_unlock_irq+0xe/0x50 |
| ? __flush_work.isra.0+0x20d/0x370 |
| ? push_pseudo_header+0x17/0x40 [ib_ipoib] |
| neigh_connected_output+0xcd/0x110 |
| ip_finish_output2+0x179/0x480 |
| ? __smp_call_single_queue+0x61/0xa0 |
| __ip_finish_output+0xc3/0x190 |
| ip_finish_output+0x2e/0xf0 |
| ip_output+0x78/0x110 |
| ? __pfx_ip_finish_output+0x10/0x10 |
| ip_local_out+0x64/0x70 |
| __ip_queue_xmit+0x18a/0x460 |
| ip_queue_xmit+0x15/0x30 |
| __tcp_transmit_skb+0x914/0x9c0 |
| tcp_write_xmit+0x334/0x8d0 |
| tcp_push_one+0x3c/0x60 |
| tcp_sendmsg_locked+0x2e1/0xac0 |
| tcp_sendmsg+0x2d/0x50 |
| inet_sendmsg+0x43/0x90 |
| sock_sendmsg+0x68/0x80 |
| sock_write_iter+0x93/0x100 |
| vfs_write+0x326/0x3c0 |
| ksys_write+0xbd/0xf0 |
| ? do_syscall_64+0x69/0x90 |
| __x64_sys_write+0x19/0x30 |
| do_syscall_64+0x59/0x90 |
| ? do_user_addr_fault+0x1d0/0x640 |
| ? exit_to_user_mode_prepare+0x3b/0xd0 |
| ? irqentry_exit_to_user_mode+0x9/0x20 |
| ? irqentry_exit+0x43/0x50 |
| ? exc_page_fault+0x92/0x1b0 |
| entry_SYSCALL_64_after_hwframe+0x72/0xdc |
| RIP: 0033:0x7fc03ad14a37 |
| Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 |
| RSP: 002b:00007ffdf8697fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 |
| RAX: ffffffffffffffda RBX: 0000000000008024 RCX: 00007fc03ad14a37 |
| RDX: 0000000000008024 RSI: 0000556f46bd8270 RDI: 0000000000000003 |
| RBP: 0000556f46bb1800 R08: 0000000000007fe3 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 |
| R13: 0000556f46bc66b0 R14: 000000000000000a R15: 0000556f46bb2f50 |
| </TASK> |
| ---[ end trace 0000000000000000 ]--- |
| |
| The Linux kernel CVE team has assigned CVE-2024-26907 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.214 with commit d27c48dc309da72c3b46351a1205d89687272baa |
| Fixed in 5.15.153 with commit 60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d |
| Fixed in 6.1.83 with commit cad82f1671e41094acd3b9a60cd27d67a3c64a21 |
| Fixed in 6.6.23 with commit 9a624a5f95733bac4648ecadb320ca83aa9c08fd |
| Fixed in 6.7.11 with commit 185fa07000e0a81d54cf8c05414cebff14469a5c |
| Fixed in 6.8 with commit 4d5e86a56615cc387d21c629f9af8fb0e958d350 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26907 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/infiniband/hw/mlx5/wr.c |
| include/linux/mlx5/qp.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa |
| https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d |
| https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21 |
| https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd |
| https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c |
| https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350 |
