CVE-2024-26766
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Techniques & Countermeasures
- CWE-193•Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Affected Systems
- debian•debian_linux
10.0
- linux•linux
≥ d1c1ee052d25ca23735eea912f843bc7834781b4, < 115b7f3bc1dce590a6851a2dcf23dc1100c49790 | ≥ 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4, < 5833024a9856f454a964a198c63a57e59e07baf5 | ≥ 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179, < 3f38d22e645e2e994979426ea5a35186102ff3c2 | ≥ bd57756a7e43c7127d0eca1fc5868e705fd0f7ba, < 47ae64df23ed1318e27bd9844e135a5e1c0e6e39 | ≥ eeaf35f4e3b360162081de5e744cf32d6d1b0091, < 52dc9a7a573dbf778625a0efca0fca55489f084b | ≥ fd8958efe8779d3db19c9124fce593ce681ac709, < a2fef1d81becf4ff60e1a249477464eae3c3bc2a | ≥ fd8958efe8779d3db19c9124fce593ce681ac709, < 9034a1bec35e9f725315a3bb6002ef39666114d9 | ≥ fd8958efe8779d3db19c9124fce593ce681ac709, < e6f57c6881916df39db7d95981a8ad2b9c3458d6 | 0ef9594936d1f078e8599a1cf683b052df2bec00 | ≥ 4.19.291, < 4.19.308 | ≥ 5.4.251, < 5.4.270 | ≥ 5.10.188, < 5.10.211 | ≥ 5.15.99, < 5.15.150 | ≥ 6.1.16, < 6.1.80 | ≥ 6.2.3, < 6.3 | 6.3
- linux•linux_kernel
≥ 4.19.291, < 4.19.308 | ≥ 5.4.251, < 5.4.270 | ≥ 5.10.188, < 5.10.211 | ≥ 5.15.99, < 5.15.150 | ≥ 6.1.16, < 6.1.80 | ≥ 6.2.3, < 6.6.19 | ≥ 6.7, < 6.7.7 | 6.8:rc1 | 6.8:rc2 | 6.8:rc3 | 6.8:rc4 | 6.8:rc5
References (10)
- https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
- https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
- https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
- https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
- https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
- https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
- https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
- https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html