Assigner | Linux |
Reserved | 2024-02-19 |
Published | 2024-04-03 |
Updated | 2024-06-04 |
Description
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
Product status
d1c1ee052d25 before 115b7f3bc1dc
40ac5cb6cbb0 before 5833024a9856
6cf8f3d690bb before 3f38d22e645e
bd57756a7e43 before 47ae64df23ed
eeaf35f4e3b3 before 52dc9a7a573d
fd8958efe877 before a2fef1d81bec
fd8958efe877 before 9034a1bec35e
fd8958efe877 before e6f57c688191
6.3
Any version before 6.3
4.19.308
5.4.270
5.10.211
5.15.150
6.1.80
6.6.19
6.7.7
6.8
References
https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6