In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix illegal rmb_desc access in SMC-D connection dump
A crash was found when dumping SMC-D connections. It can be reproduced by following steps:
run nginx/wrk test: smcrun nginx smcrun wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D'
BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:smcdiagdump.constprop.0+0x5e5/0x620 [smcdiag] Call Trace: <TASK> ? _die+0x24/0x70 ? pagefaultoops+0x66/0x150 ? excpagefault+0x69/0x140 ? asmexcpagefault+0x26/0x30 ? _smcdiagdump.constprop.0+0x5e5/0x620 [smcdiag] ? _kmallocnodetrackcaller+0x35d/0x430 ? _allocskb+0x77/0x170 smcdiagdumpproto+0xd0/0xf0 [smcdiag] smcdiagdump+0x26/0x60 [smcdiag] netlinkdump+0x19f/0x320 _netlinkdumpstart+0x1dc/0x300 smcdiaghandlerdump+0x6a/0x80 [smcdiag] ? _pfxsmcdiagdump+0x10/0x10 [smcdiag] sockdiagrcvmsg+0x121/0x140 ? _pfxsockdiagrcvmsg+0x10/0x10 netlinkrcvskb+0x5a/0x110 sockdiagrcv+0x28/0x40 netlinkunicast+0x22a/0x330 netlinksendmsg+0x1f8/0x420 _socksendmsg+0xb0/0xc0 _syssendmsg+0x24e/0x300 ? copymsghdrfromuser+0x62/0x80 _syssendmsg+0x7c/0xd0 ? _dofault+0x34/0x160 ? doreadfault+0x5f/0x100 ? dofault+0xb0/0x110 ? _handlemmfault+0x2b0/0x6c0 _syssendmsg+0x4d/0x80 dosyscall64+0x69/0x180 entrySYSCALL64after_hwframe+0x6e/0x76
It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smcconncreate() but the rmbdesc has not yet been initialized by smcbufcreate(), thus causing the illegal access to conn->rmbdesc. So fix it by checking before dump.
{ "vanir_signatures": [ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1fea9969b81c67d0cb1611d1b8b7d19049d937be", "id": "CVE-2024-26615-08631779", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "150651617547212339452230099016013305788", "271765156209958003502773726728922148864", "256346410255304917017460391162466130600", "163574356552726739279085025338476739302" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27aea64838914c6122db5b8bd4bed865c9736f22", "id": "CVE-2024-26615-0a784163", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "150651617547212339452230099016013305788", "271765156209958003502773726728922148864", "256346410255304917017460391162466130600", "163574356552726739279085025338476739302" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27aea64838914c6122db5b8bd4bed865c9736f22", "id": "CVE-2024-26615-10780e30", "deprecated": false, "digest": { "length": 3916.0, "function_hash": "207242034349756281611946769959827945946" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5fed92ca32eafbfae8b6bee8ca34cca71c6a8b6d", "id": "CVE-2024-26615-17921ad4", "deprecated": false, "digest": { "length": 3916.0, "function_hash": "207242034349756281611946769959827945946" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5fed92ca32eafbfae8b6bee8ca34cca71c6a8b6d", "id": "CVE-2024-26615-28a10be8", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "150651617547212339452230099016013305788", "271765156209958003502773726728922148864", "256346410255304917017460391162466130600", "163574356552726739279085025338476739302" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68b888d51ac82f2b96bf5e077a31d76afcdef25a", "id": "CVE-2024-26615-2f61b242", "deprecated": false, "digest": { "length": 3856.0, "function_hash": "299302811999560440386695173175403882213" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dbc153fd3c142909e564bb256da087e13fbf239c", "id": "CVE-2024-26615-3b98bc90", "deprecated": false, "digest": { "length": 3993.0, "function_hash": "261924015586125481022794719529897111492" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f3f9186e5bb96a9c9654c41653210e3ea7e48a6", "id": "CVE-2024-26615-4049140d", "deprecated": false, "digest": { "length": 3864.0, "function_hash": "186618889422877736152934269751038352778" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a164c2922675d7051805cdaf2b07daffe44f20d9", "id": "CVE-2024-26615-40e507ac", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "165088051492554655496075405241611834166", "104228765229108457314687486352517902443", "256346410255304917017460391162466130600", "224147286485716031710114587964517970390" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dbc153fd3c142909e564bb256da087e13fbf239c", "id": "CVE-2024-26615-6194183c", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "165088051492554655496075405241611834166", "104228765229108457314687486352517902443", "256346410255304917017460391162466130600", "224147286485716031710114587964517970390" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6994dba06321e3c48fdad0ba796a063d9d82183a", "id": "CVE-2024-26615-6b5e0436", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "165088051492554655496075405241611834166", "104228765229108457314687486352517902443", "256346410255304917017460391162466130600", "163574356552726739279085025338476739302" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68b888d51ac82f2b96bf5e077a31d76afcdef25a", "id": "CVE-2024-26615-85e9052d", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "150651617547212339452230099016013305788", "271765156209958003502773726728922148864", "256346410255304917017460391162466130600", "163574356552726739279085025338476739302" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1fea9969b81c67d0cb1611d1b8b7d19049d937be", "id": "CVE-2024-26615-aa494bc5", "deprecated": false, "digest": { "length": 3916.0, "function_hash": "207242034349756281611946769959827945946" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6994dba06321e3c48fdad0ba796a063d9d82183a", "id": "CVE-2024-26615-cb74e0f5", "deprecated": false, "digest": { "length": 3826.0, "function_hash": "87581539326309595231990904972980917984" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f3f9186e5bb96a9c9654c41653210e3ea7e48a6", "id": "CVE-2024-26615-eb83a7b4", "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "165088051492554655496075405241611834166", "104228765229108457314687486352517902443", "256346410255304917017460391162466130600", "224147286485716031710114587964517970390" ] }, "signature_type": "Line", "signature_version": "v1", "target": { "file": "net/smc/smc_diag.c" } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a164c2922675d7051805cdaf2b07daffe44f20d9", "id": "CVE-2024-26615-fb0032d0", "deprecated": false, "digest": { "length": 3864.0, "function_hash": "186618889422877736152934269751038352778" }, "signature_type": "Function", "signature_version": "v1", "target": { "function": "__smc_diag_dump", "file": "net/smc/smc_diag.c" } } ] }