CVE-2021-47196

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47196
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47196.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47196
Related
Published
2024-04-10T19:15:47Z
Modified
2024-09-11T02:00:07Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Set send and receive CQ before forwarding to the driver

Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not overwrite ibqp properties.

This change is needed for mlx5, because in case of QP creation failure, it will go to the path of QP destroy which relies on proper CQ pointers.

BUG: KASAN: use-after-free in createqp.cold+0x164/0x16e [mlx5ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246

CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dumpstacklvl+0x45/0x59 printaddressdescription.constprop.0+0x1f/0x140 kasanreport.cold+0x83/0xdf createqp.cold+0x164/0x16e [mlx5ib] mlx5ibcreateqp+0x358/0x28a0 [mlx5ib] createqp.part.0+0x45b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae

Allocated by task 246: kasansavestack+0x1b/0x40 _kasankmalloc+0xa4/0xd0 createqp.part.0+0x92/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64after_hwframe+0x44/0xae

Freed by task 246: kasansavestack+0x1b/0x40 kasansettrack+0x1c/0x30 kasansetfreeinfo+0x20/0x30 _kasanslabfree+0x10c/0x150 slabfreefreelisthook+0xb4/0x1b0 kfree+0xe7/0x2a0 createqp.part.0+0x52b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}