| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Don't expose hw_counters outside of init net namespace\n\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn't expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756] <TASK>\n[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70\n[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0\n[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30\n[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50\n[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410\n[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0\n[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0\n[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0\n[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe problem can be reproduced using the following steps:\n ip netns add foo\n ip netns exec foo bash\n cat /sys/class/infiniband/mlx4_0/hw_counters/*\n\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\n\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\n\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\n\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\n find /sys/class/infiniband/mlx4_0/ -name hw_counters\n /sys/class/infiniband/mlx4_0/ports/1/hw_counters\n /sys/class/infiniband/mlx4_0/ports/2/hw_counters\n /sys/class/infiniband/mlx4_0/hw_counters\n\n ip netns add foo\n ip netns exec foo bash\n find /sys/class/infiniband/mlx4_0/ -name hw_counters" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/infiniband/core/device.c", |
| "drivers/infiniband/core/sysfs.c", |
| "include/rdma/ib_verbs.h" |
| ], |
| "versions": [ |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "d5212b99649c5740154f307e9e3d7fee9bf62773", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "df45ae2a4f1cdfda00c032839e12092e1f32c05e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "c14d9704f5d77a7c7fa46e2114b64a4f75b64e17", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "6682da5d8fd578a5068531d01633c9d2e4c8f12b", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "467f432a521a284c418e3d521ee51840a5e23424", |
| "lessThan": "a1ecb30f90856b0be4168ad51b8875148e285c1f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/infiniband/core/device.c", |
| "drivers/infiniband/core/sysfs.c", |
| "include/rdma/ib_verbs.h" |
| ], |
| "versions": [ |
| { |
| "version": "5.14", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.14", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.180", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.134", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.87", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.23", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.11", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14.2", |
| "lessThanOrEqual": "6.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.15", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "5.15.180" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.1.134" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.6.87" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.12.23" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.13.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.14.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.14", |
| "versionEndExcluding": "6.15" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f" |
| } |
| ], |
| "title": "RDMA/core: Don't expose hw_counters outside of init net namespace", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-22089", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
