CVE-2022-48729

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48729
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48729.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48729
Related
Published
2024-06-20T12:15:11Z
Modified
2024-10-27T18:35:03Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix panic with larger ipoib sendqueuesize

When the ipoib sendqueuesize is increased from the default the following panic happens:

RIP: 0010:hfi1ipoibdraintxring+0x45/0xf0 [hfi1] Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: <TASK> hfi1ipoibnapitxdisable+0x45/0x60 [hfi1] hfi1ipoibdevstop+0x18/0x80 [hfi1] ipoibibdevstop+0x1d/0x40 [ibipoib] ipoibstop+0x48/0xc0 [ibipoib] _devclosemany+0x9e/0x110 _devchangeflags+0xd9/0x210 devchangeflags+0x21/0x60 dosetlink+0x31c/0x10f0 ? _nlavalidateparse+0x12d/0x1a0 ? _nlaparse+0x21/0x30 ? inet6validatelinkaf+0x5e/0xf0 ? cpumasknext+0x1f/0x20 ? _snmp6fillstats64.isra.53+0xbb/0x140 ? _nlavalidateparse+0x47/0x1a0 _rtnlnewlink+0x530/0x910 ? pskbexpandhead+0x73/0x300 ? _kmallocnodetrackcaller+0x109/0x280 ? _nlaput+0xc/0x20 ? cpumasknextand+0x20/0x30 ? updatesdlbstats.constprop.144+0xd3/0x820 ? rawspinunlockirqrestore+0x25/0x37 ? _wakeupcommonlock+0x87/0xc0 ? kmemcachealloctrace+0x3d/0x3d0 rtnlnewlink+0x43/0x60

The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size.

Fix by using the item size.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}