CVE-2024-26766 Information

Apr 04, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

Unfortunately the commit fd8958efe877 introduced another error causing the descs array to overflow. This reults in further crashes easily reproducible by sendmsg system call.

[ 1080.836473] general protection fault probably for non-canonical address 0x400300015528b00a: 0000 [1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]

[ 1080.974535] Call Trace: [ 1080.976990] [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210

[ 1081.148347] __sys_sendmsg+0x59/0xa0

crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq txreq = list = next = 0xffff9cfeba229f00 prev = 0xffff9cfeba229f00

descp = 0xffff9cfeba229f40
coalesce_buf = 0x0
wait = 0xffff9cfea4e69a48
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>
packet_len = 0x46d
tlen = 0x0
num_desc = 0x0
desc_limit = 0x6
next_descq_idx = 0x45c
coalesce_idx = 0x0
flags = 0x0
descs = 
    qw = 0x8024000120dffb00 0x4   SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
   
    qw =   0x3800014231b108 0x4
   
    qw =  0x310000e4ee0fcf0 0x8
   
    qw =   0x3000012e9f8000 0x8
   
    qw =   0x59000dfb9d0000 0x8
   
    qw =   0x78000e02e40000 0x8

sdma_hdr = 0x400300015528b000 «< invalid pointer in the tx request structure sdma_status = 0x0 SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0 priv = 0x0 txq = 0xffff9cfea4e69880 skb = 0xffff9d099809f400

If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor) the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array.

With this patch the crashes are no longer reproducible and the machine is stable.

Reference

https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6

Share on: