In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit
fd8958efe877
introduced another error causing the descs
array to
overflow. This reults in further crashes easily reproducible by sendmsg
system call. [ 1080.836473] general protection fault, probably for
non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [
1080.869326] RIP:
0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] – [
1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929]
hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364]
hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633]
hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001]
ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978]
dev_hard_start_xmit+0xc4/0x210 – [ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list =
{ next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp =
0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete
= 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen =
0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx
= 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} #
SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, {
qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw =
{ 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr
= 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv
= 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send
consists of exactly 6 descriptors and requires dword padding (in the 7th
descriptor), the sdma_txreq descriptor array is not properly expanded and
the packet will overflow into the container structure. This results in a
panic when the send completion runs. The exact panic varies depending on
what elements of the container structure get corrupted. The fix is to use
the correct expression in _pad_sdma_tx_descs() to test the need to expand
the descriptor array. With this patch the crashes are no longer
reproducible and the machine is stable.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < 5.4.0-186.206 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1126.136 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
git.kernel.org/linus/e6f57c6881916df39db7d95981a8ad2b9c3458d6 (6.8-rc6)
git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
launchpad.net/bugs/cve/CVE-2024-26766
nvd.nist.gov/vuln/detail/CVE-2024-26766
security-tracker.debian.org/tracker/CVE-2024-26766
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6831-1
www.cve.org/CVERecord?id=CVE-2024-26766