CVE-2021-47399

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47399
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47399.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47399
Related
Published
2024-05-21T15:15:25Z
Modified
2024-09-11T04:41:09.800253Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ixgbe: Fix NULL pointer dereference in ixgbexdpsetup

The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of numxdpqueues is nrcpuids. Code is in "ixgbesetrss_queues"".

Here's how the problem repeats itself: Some machine (online cpus < 63), And user set numqueues to 63 through ethtool. Code is in the "ixgbesetchannels", adapter->ringfeature[RINGFFDIR].limit = count;

It becomes 63.

When user use xdp, "ixgbesetrssqueues" will set queues num. adapter->numrxqueues = rssi; adapter->numtxqueues = rssi; adapter->numxdpqueues = ixgbexdp_queues(adapter);

And rssi's value is from f = &adapter->ringfeature[RINGFFDIR]; rss_i = f->indices = f->limit;

So "numrxqueues" > "numxdpqueues", when run to "ixgbexdpsetup", for (i = 0; i < adapter->numrxqueues; i++) if (adapter->xdpring[i]->xskumem)

It leads to panic.

Call trace: [exception RIP: ixgbexdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIGRAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] devxdpinstall at ffffffffa89fbbcc 8 [ffff9fe16202f920] devchangexdpfd at ffffffffa8a08808 9 [ffff9fe16202f960] dosetlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnlsetlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlinkrcvmsg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlinkrcvskb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlinkunicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlinksendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] socksendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] _syssendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] _x64syssendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] dosyscall64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entrySYSCALL64after_hwframe at ffffffffa8c0008c

So I fix ixgbemaxchannels so that it will not allow a setting of queues to be higher than the numonlinecpus(). And when run to ixgbexdpsetup, take the smaller value of numrxqueues and numxdpqueues.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}