cve/published/2024/CVE-2024-56719.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56719: net: stmmac: fix TSO DMA API usage causing oops

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: stmmac: fix TSO DMA API usage causing oops

 Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
 for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
 members to be later in stmmac_tso_xmit().

 The buf (dma cookie) and len stored in this structure are passed to
 dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
 the dma cookie passed to dma_unmap_single() is the same as the value
 returned from dma_map_single(). However, by moving the assignment
 later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
 is offset by proto_hdr_len.

 This causes problems such as:

   dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed

 and with DMA_API_DEBUG enabled:

   DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]

 Fix this by maintaining "des" as the original DMA cookie, and use
 tso_des to pass the offset DMA cookie to stmmac_tso_allocator().

 Full details of the crashes can be found at:
 https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
 https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/

 The Linux kernel CVE team has assigned CVE-2024-56719 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.60 with commit 07c9c26e37542486e34d767505e842f48f29c3f6 and fixed in 6.6.68 with commit db3667c9bbfbbf5de98e6c9542f7e03fb5243286
 	Issue introduced in 6.12 with commit 66600fac7a984dea4ae095411f644770b2561ede and fixed in 6.12.7 with commit 9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
 	Issue introduced in 6.12 with commit 66600fac7a984dea4ae095411f644770b2561ede and fixed in 6.13 with commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e
 	Issue introduced in 5.15.171 with commit ece593fc9c00741b682869d3f3dc584d37b7c9df
 	Issue introduced in 6.1.116 with commit a3ff23f7c3f0e13f718900803e090fd3997d6bc9
 	Issue introduced in 6.11.7 with commit 58d23d835eb498336716cca55b5714191a309286

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56719
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/stmicro/stmmac/stmmac_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286
 	https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
 	https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56719: net: stmmac: fix TSO DMA API usage causing oops

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: stmmac: fix TSO DMA API usage causing oops

	Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
	for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
	members to be later in stmmac_tso_xmit().

	The buf (dma cookie) and len stored in this structure are passed to
	dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
	the dma cookie passed to dma_unmap_single() is the same as the value
	returned from dma_map_single(). However, by moving the assignment
	later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
	is offset by proto_hdr_len.

	This causes problems such as:

	dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed

	and with DMA_API_DEBUG enabled:

	DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]

	Fix this by maintaining "des" as the original DMA cookie, and use
	tso_des to pass the offset DMA cookie to stmmac_tso_allocator().

	Full details of the crashes can be found at:
	https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
	https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/

	The Linux kernel CVE team has assigned CVE-2024-56719 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.60 with commit 07c9c26e37542486e34d767505e842f48f29c3f6 and fixed in 6.6.68 with commit db3667c9bbfbbf5de98e6c9542f7e03fb5243286
	Issue introduced in 6.12 with commit 66600fac7a984dea4ae095411f644770b2561ede and fixed in 6.12.7 with commit 9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
	Issue introduced in 6.12 with commit 66600fac7a984dea4ae095411f644770b2561ede and fixed in 6.13 with commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e
	Issue introduced in 5.15.171 with commit ece593fc9c00741b682869d3f3dc584d37b7c9df
	Issue introduced in 6.1.116 with commit a3ff23f7c3f0e13f718900803e090fd3997d6bc9
	Issue introduced in 6.11.7 with commit 58d23d835eb498336716cca55b5714191a309286

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56719
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/stmicro/stmmac/stmmac_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286
	https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
	https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e