In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Unfortunately the commit fd8958efe877
introduced another error
causing the descs
array to overflow. This reults in further crashes
easily reproducible by sendmsg
system call.
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "d1c1ee052d25",
"lessThan": "115b7f3bc1dc",
"versionType": "git"
},
{
"status": "affected",
"version": "40ac5cb6cbb0",
"lessThan": "5833024a9856",
"versionType": "git"
},
{
"status": "affected",
"version": "6cf8f3d690bb",
"lessThan": "3f38d22e645e",
"versionType": "git"
},
{
"status": "affected",
"version": "bd57756a7e43",
"lessThan": "47ae64df23ed",
"versionType": "git"
},
{
"status": "affected",
"version": "eeaf35f4e3b3",
"lessThan": "52dc9a7a573d",
"versionType": "git"
},
{
"status": "affected",
"version": "fd8958efe877",
"lessThan": "a2fef1d81bec",
"versionType": "git"
},
{
"status": "affected",
"version": "fd8958efe877",
"lessThan": "9034a1bec35e",
"versionType": "git"
},
{
"status": "affected",
"version": "fd8958efe877",
"lessThan": "e6f57c688191",
"versionType": "git"
}
],
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "6.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.19.308",
"versionType": "custom",
"lessThanOrEqual": "4.19.*"
},
{
"status": "unaffected",
"version": "5.4.270",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.211",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.15.150",
"versionType": "custom",
"lessThanOrEqual": "5.15.*"
},
{
"status": "unaffected",
"version": "6.1.80",
"versionType": "custom",
"lessThanOrEqual": "6.1.*"
},
{
"status": "unaffected",
"version": "6.6.19",
"versionType": "custom",
"lessThanOrEqual": "6.6.*"
},
{
"status": "unaffected",
"version": "6.7.7",
"versionType": "custom",
"lessThanOrEqual": "6.7.*"
},
{
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
lists.debian.org/debian-lts-announce/2024/06/msg00017.html
lists.debian.org/debian-lts-announce/2024/06/msg00020.html