cve/published/2024/CVE-2024-53058.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\n\nIn case the non-paged data of a SKB carries protocol header and protocol\npayload to be transmitted on a certain platform that the DMA AXI address\nwidth is configured to 40-bit/48-bit, or the size of the non-paged data\nis bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI\naddress width is configured to 32-bit, then this SKB requires at least\ntwo DMA transmit descriptors to serve it.\n\nFor example, three descriptors are allocated to split one DMA buffer\nmapped from one piece of non-paged data:\n    dma_desc[N + 0],\n    dma_desc[N + 1],\n    dma_desc[N + 2].\nThen three elements of tx_q->tx_skbuff_dma[] will be allocated to hold\nextra information to be reused in stmmac_tx_clean():\n    tx_q->tx_skbuff_dma[N + 0],\n    tx_q->tx_skbuff_dma[N + 1],\n    tx_q->tx_skbuff_dma[N + 2].\nNow we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer\naddress returned by DMA mapping call. stmmac_tx_clean() will try to\nunmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf\nis a valid buffer address.\n\nThe expected behavior that saves DMA buffer address of this non-paged\ndata to tx_q->tx_skbuff_dma[entry].buf is:\n    tx_q->tx_skbuff_dma[N + 0].buf = NULL;\n    tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n    tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();\nUnfortunately, the current code misbehaves like this:\n    tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();\n    tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n    tx_q->tx_skbuff_dma[N + 2].buf = NULL;\n\nOn the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the\nDMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address\nobviously, then the DMA buffer will be unmapped immediately.\nThere may be a rare case that the DMA engine does not finish the\npending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go\nhorribly wrong, DMA is going to access a unmapped/unreferenced memory\nregion, corrupted data will be transmited or iommu fault will be\ntriggered :(\n\nIn contrast, the for-loop that maps SKB fragments behaves perfectly\nas expected, and that is how the driver should do for both non-paged\ndata and paged frags actually.\n\nThis patch corrects DMA map/unmap sequences by fixing the array index\nfor tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.\n\nTested and verified on DWXGMAC CORE 3.20a"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
                ],
                "versions": [
                   {
                      "version": "f748be531d7012c456b97f66091d86b3675c5fef",
                      "lessThan": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "f748be531d7012c456b97f66091d86b3675c5fef",
                      "lessThan": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "f748be531d7012c456b97f66091d86b3675c5fef",
                      "lessThan": "07c9c26e37542486e34d767505e842f48f29c3f6",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "f748be531d7012c456b97f66091d86b3675c5fef",
                      "lessThan": "58d23d835eb498336716cca55b5714191a309286",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "f748be531d7012c456b97f66091d86b3675c5fef",
                      "lessThan": "66600fac7a984dea4ae095411f644770b2561ede",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
                ],
                "versions": [
                   {
                      "version": "4.7",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "4.7",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.171",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.1.116",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.6.60",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.11.7",
                      "lessThanOrEqual": "6.11.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.12",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.7",
                            "versionEndExcluding": "5.15.171"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.7",
                            "versionEndExcluding": "6.1.116"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.7",
                            "versionEndExcluding": "6.6.60"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.7",
                            "versionEndExcluding": "6.11.7"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "4.7",
                            "versionEndExcluding": "6.12"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/ece593fc9c00741b682869d3f3dc584d37b7c9df"
             },
             {
                "url": "https://git.kernel.org/stable/c/a3ff23f7c3f0e13f718900803e090fd3997d6bc9"
             },
             {
                "url": "https://git.kernel.org/stable/c/07c9c26e37542486e34d767505e842f48f29c3f6"
             },
             {
                "url": "https://git.kernel.org/stable/c/58d23d835eb498336716cca55b5714191a309286"
             },
             {
                "url": "https://git.kernel.org/stable/c/66600fac7a984dea4ae095411f644770b2561ede"
             }
          ],
          "title": "net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-53058",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\n\nIn case the non-paged data of a SKB carries protocol header and protocol\npayload to be transmitted on a certain platform that the DMA AXI address\nwidth is configured to 40-bit/48-bit, or the size of the non-paged data\nis bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI\naddress width is configured to 32-bit, then this SKB requires at least\ntwo DMA transmit descriptors to serve it.\n\nFor example, three descriptors are allocated to split one DMA buffer\nmapped from one piece of non-paged data:\n dma_desc[N + 0],\n dma_desc[N + 1],\n dma_desc[N + 2].\nThen three elements of tx_q->tx_skbuff_dma[] will be allocated to hold\nextra information to be reused in stmmac_tx_clean():\n tx_q->tx_skbuff_dma[N + 0],\n tx_q->tx_skbuff_dma[N + 1],\n tx_q->tx_skbuff_dma[N + 2].\nNow we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer\naddress returned by DMA mapping call. stmmac_tx_clean() will try to\nunmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf\nis a valid buffer address.\n\nThe expected behavior that saves DMA buffer address of this non-paged\ndata to tx_q->tx_skbuff_dma[entry].buf is:\n tx_q->tx_skbuff_dma[N + 0].buf = NULL;\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();\nUnfortunately, the current code misbehaves like this:\n tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = NULL;\n\nOn the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the\nDMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address\nobviously, then the DMA buffer will be unmapped immediately.\nThere may be a rare case that the DMA engine does not finish the\npending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go\nhorribly wrong, DMA is going to access a unmapped/unreferenced memory\nregion, corrupted data will be transmited or iommu fault will be\ntriggered :(\n\nIn contrast, the for-loop that maps SKB fragments behaves perfectly\nas expected, and that is how the driver should do for both non-paged\ndata and paged frags actually.\n\nThis patch corrects DMA map/unmap sequences by fixing the array index\nfor tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.\n\nTested and verified on DWXGMAC CORE 3.20a"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
	],
	"versions": [
	{
	"version": "f748be531d7012c456b97f66091d86b3675c5fef",
	"lessThan": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "f748be531d7012c456b97f66091d86b3675c5fef",
	"lessThan": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "f748be531d7012c456b97f66091d86b3675c5fef",
	"lessThan": "07c9c26e37542486e34d767505e842f48f29c3f6",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "f748be531d7012c456b97f66091d86b3675c5fef",
	"lessThan": "58d23d835eb498336716cca55b5714191a309286",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "f748be531d7012c456b97f66091d86b3675c5fef",
	"lessThan": "66600fac7a984dea4ae095411f644770b2561ede",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
	],
	"versions": [
	{
	"version": "4.7",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "4.7",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.171",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.1.116",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.6.60",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.11.7",
	"lessThanOrEqual": "6.11.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.12",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.7",
	"versionEndExcluding": "5.15.171"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.7",
	"versionEndExcluding": "6.1.116"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.7",
	"versionEndExcluding": "6.6.60"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.7",
	"versionEndExcluding": "6.11.7"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "4.7",
	"versionEndExcluding": "6.12"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/ece593fc9c00741b682869d3f3dc584d37b7c9df"
	},
	{
	"url": "https://git.kernel.org/stable/c/a3ff23f7c3f0e13f718900803e090fd3997d6bc9"
	},
	{
	"url": "https://git.kernel.org/stable/c/07c9c26e37542486e34d767505e842f48f29c3f6"
	},
	{
	"url": "https://git.kernel.org/stable/c/58d23d835eb498336716cca55b5714191a309286"
	},
	{
	"url": "https://git.kernel.org/stable/c/66600fac7a984dea4ae095411f644770b2561ede"
	}
	],
	"title": "net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-53058",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}