CVE-2021-47196

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-47196

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47196.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-47196

Related

Published

2024-04-10T19:15:47Z

Modified

2024-09-11T02:00:07Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Set send and receive CQ before forwarding to the driver

Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not overwrite ibqp properties.

This change is needed for mlx5, because in case of QP creation failure, it will go to the path of QP destroy which relies on proper CQ pointers.

BUG: KASAN: use-after-free in createqp.cold+0x164/0x16e [mlx5ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246

CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dumpstacklvl+0x45/0x59 printaddressdescription.constprop.0+0x1f/0x140 kasanreport.cold+0x83/0xdf createqp.cold+0x164/0x16e [mlx5ib] mlx5ibcreateqp+0x358/0x28a0 [mlx5ib] createqp.part.0+0x45b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae

Allocated by task 246: kasansavestack+0x1b/0x40 _kasankmalloc+0xa4/0xd0 createqp.part.0+0x92/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64after_hwframe+0x44/0xae

Freed by task 246: kasansavestack+0x1b/0x40 kasansettrack+0x1c/0x30 kasansetfreeinfo+0x20/0x30 _kasanslabfree+0x10c/0x150 slabfreefreelisthook+0xb4/0x1b0 kfree+0xe7/0x2a0 createqp.part.0+0x52b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae

References

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}