cve/published/2024/CVE-2024-50001.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50001: net/mlx5: Fix error path in multi-packet WQE transmit

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5: Fix error path in multi-packet WQE transmit

 Remove the erroneous unmap in case no DMA mapping was established

 The multi-packet WQE transmit code attempts to obtain a DMA mapping for
 the skb. This could fail, e.g. under memory pressure, when the IOMMU
 driver just can't allocate more memory for page tables. While the code
 tries to handle this in the path below the err_unmap label it erroneously
 unmaps one entry from the sq's FIFO list of active mappings. Since the
 current map attempt failed this unmap is removing some random DMA mapping
 that might still be required. If the PCI function now presents that IOVA,
 the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
 function in error state.

 The erroneous behavior was seen in a stress-test environment that created
 memory pressure.

 The Linux kernel CVE team has assigned CVE-2024-50001 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 5.10.227 with commit ca36d6c1a49b6965c86dd528a73f38bc62d9c625
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 5.15.168 with commit ce828b347cf1b3c1b12b091d02463c35ce5097f5
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.1.113 with commit fc357e78176945ca7bcacf92ab794b9ccd41b4f4
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.6.55 with commit 26fad69b34fcba80d5c7d9e651f628e6ac927754
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.10.14 with commit ecf310aaf256acbc8182189fe0aa1021c3ddef72
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.11.3 with commit 8bb8c12fb5e2b1f03d603d493c92941676f109b5
 	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.12 with commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50001
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/en_tx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625
 	https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5
 	https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4
 	https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754
 	https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72
 	https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5
 	https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d3286341c32
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50001: net/mlx5: Fix error path in multi-packet WQE transmit

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5: Fix error path in multi-packet WQE transmit

	Remove the erroneous unmap in case no DMA mapping was established

	The multi-packet WQE transmit code attempts to obtain a DMA mapping for
	the skb. This could fail, e.g. under memory pressure, when the IOMMU
	driver just can't allocate more memory for page tables. While the code
	tries to handle this in the path below the err_unmap label it erroneously
	unmaps one entry from the sq's FIFO list of active mappings. Since the
	current map attempt failed this unmap is removing some random DMA mapping
	that might still be required. If the PCI function now presents that IOVA,
	the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
	function in error state.

	The erroneous behavior was seen in a stress-test environment that created
	memory pressure.

	The Linux kernel CVE team has assigned CVE-2024-50001 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 5.10.227 with commit ca36d6c1a49b6965c86dd528a73f38bc62d9c625
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 5.15.168 with commit ce828b347cf1b3c1b12b091d02463c35ce5097f5
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.1.113 with commit fc357e78176945ca7bcacf92ab794b9ccd41b4f4
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.6.55 with commit 26fad69b34fcba80d5c7d9e651f628e6ac927754
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.10.14 with commit ecf310aaf256acbc8182189fe0aa1021c3ddef72
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.11.3 with commit 8bb8c12fb5e2b1f03d603d493c92941676f109b5
	Issue introduced in 5.10 with commit 5af75c747e2a868abbf8611494b50ed5e076fca7 and fixed in 6.12 with commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50001
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/en_tx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625
	https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5
	https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4
	https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754
	https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72
	https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5
	https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d3286341c32