cve/published/2024/CVE-2024-38544.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38544: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

 In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the
 resp_pkts queue and then a decision is made whether to run the completer
 task inline or schedule it. Finally the skb is dereferenced to bump a 'hw'
 performance counter. This is wrong because if the completer task is
 already running in a separate thread it may have already processed the skb
 and freed it which can cause a seg fault.  This has been observed
 infrequently in testing at high scale.

 This patch fixes this by changing the order of enqueuing the packet until
 after the counter is accessed.

 The Linux kernel CVE team has assigned CVE-2024-38544 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.4.285 with commit c91fb72a2ca6480d8d77262eef52dc5b178463a3
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.10.227 with commit de5a059e36657442b5637cc16df5163e435b9cb4
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.15.168 with commit e0e14dd35d4242340c7346aac60c7ff8fbf87ffc
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.1.93 with commit faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.6.33 with commit 21b4c6d4d89030fd4657a8e7c8110fd941049794
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.8.12 with commit bbad88f111a1829f366c189aa48e7e58e57553fc
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.9.3 with commit 30df4bef8b8e183333e9b6e9d4509d552c7da6eb
 	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.10 with commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38544
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/sw/rxe/rxe_comp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c91fb72a2ca6480d8d77262eef52dc5b178463a3
 	https://git.kernel.org/stable/c/de5a059e36657442b5637cc16df5163e435b9cb4
 	https://git.kernel.org/stable/c/e0e14dd35d4242340c7346aac60c7ff8fbf87ffc
 	https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
 	https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794
 	https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc
 	https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb
 	https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38544: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

	In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the
	resp_pkts queue and then a decision is made whether to run the completer
	task inline or schedule it. Finally the skb is dereferenced to bump a 'hw'
	performance counter. This is wrong because if the completer task is
	already running in a separate thread it may have already processed the skb
	and freed it which can cause a seg fault. This has been observed
	infrequently in testing at high scale.

	This patch fixes this by changing the order of enqueuing the packet until
	after the counter is accessed.

	The Linux kernel CVE team has assigned CVE-2024-38544 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.4.285 with commit c91fb72a2ca6480d8d77262eef52dc5b178463a3
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.10.227 with commit de5a059e36657442b5637cc16df5163e435b9cb4
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 5.15.168 with commit e0e14dd35d4242340c7346aac60c7ff8fbf87ffc
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.1.93 with commit faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.6.33 with commit 21b4c6d4d89030fd4657a8e7c8110fd941049794
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.8.12 with commit bbad88f111a1829f366c189aa48e7e58e57553fc
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.9.3 with commit 30df4bef8b8e183333e9b6e9d4509d552c7da6eb
	Issue introduced in 4.12 with commit 0b1e5b99a48b5b810e3e38f1d6e0d39306b99ec0 and fixed in 6.10 with commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38544
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/sw/rxe/rxe_comp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c91fb72a2ca6480d8d77262eef52dc5b178463a3
	https://git.kernel.org/stable/c/de5a059e36657442b5637cc16df5163e435b9cb4
	https://git.kernel.org/stable/c/e0e14dd35d4242340c7346aac60c7ff8fbf87ffc
	https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19
	https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794
	https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc
	https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb
	https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6