We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2024-26766

IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

Reserved:2024-02-19
Published:2024-04-03
Updated:2024-04-04

Description

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.

Product status

Default status
unaffected

d1c1ee052d25 before 115b7f3bc1dc
affected

40ac5cb6cbb0 before 5833024a9856
affected

6cf8f3d690bb before 3f38d22e645e
affected

bd57756a7e43 before 47ae64df23ed
affected

eeaf35f4e3b3 before 52dc9a7a573d
affected

fd8958efe877 before a2fef1d81bec
affected

fd8958efe877 before 9034a1bec35e
affected

fd8958efe877 before e6f57c688191
affected

Default status
affected

6.3
affected

Any version before 6.3
unaffected

4.19.308
unaffected

5.4.270
unaffected

5.10.211
unaffected

5.15.150
unaffected

6.1.80
unaffected

6.6.19
unaffected

6.7.7
unaffected

6.8
unaffected

References

https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790

https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5

https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2

https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39

https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b

https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a

https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9

https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6

cve.org CVE-2024-26766

nvd.nist.gov CVE-2024-26766

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-26766