CVE-2024-26766

Unfortunately the commit fd8958efe877 introduced another error causing the descs array to overflow. This reults in further crashes easily reproducible by sendmsg system call.

[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI

[ 1080.869326] RIP: 0010:hfi1ipoibbuildibtx_headers.constprop.0+0xe1/0x2b0 [hfi1]

[ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1ipoibsenddmacommon+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1ipoibsenddmalist+0x62/0x270 [hfi1] [ 1081.032633] hfi1ipoibsend+0x112/0x300 [hfi1] [ 1081.042001] ipoibstartxmit+0x2a9/0x2d0 [ib_ipoib]

[ 1081.046978] devhardstart_xmit+0xc4/0x210

[ 1081.148347] _syssendmsg+0x59/0xa0

crash> ipoibtxreq 0xffff9cfeba229f00 struct ipoibtxreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalescebuf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packetlen = 0x46d, tlen = 0x0, numdesc = 0x0, desclimit = 0x6, nextdescqidx = 0x45c, coalesceidx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMADESC0FIRSTDESCFLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdmahdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdmastatus = 0x0, SDMADESC0LASTDESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 }

If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdmatxreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _padsdmatxdescs() to test the need to expand the descriptor array.

With this patch the crashes are no longer reproducible and the machine is stable.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d1c1ee052d25ca23735eea912f843bc7834781b4

Fixed

115b7f3bc1dce590a6851a2dcf23dc1100c49790

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

40ac5cb6cbb01afa40881f78b4d2f559fb7065c4

Fixed

5833024a9856f454a964a198c63a57e59e07baf5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179

Fixed

3f38d22e645e2e994979426ea5a35186102ff3c2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bd57756a7e43c7127d0eca1fc5868e705fd0f7ba

Fixed

47ae64df23ed1318e27bd9844e135a5e1c0e6e39

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

eeaf35f4e3b360162081de5e744cf32d6d1b0091

Fixed

52dc9a7a573dbf778625a0efca0fca55489f084b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd8958efe8779d3db19c9124fce593ce681ac709

Fixed

a2fef1d81becf4ff60e1a249477464eae3c3bc2a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd8958efe8779d3db19c9124fce593ce681ac709

Fixed

9034a1bec35e9f725315a3bb6002ef39666114d9

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd8958efe8779d3db19c9124fce593ce681ac709

Fixed

e6f57c6881916df39db7d95981a8ad2b9c3458d6

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0ef9594936d1f078e8599a1cf683b052df2bec00

Affected versions

v4.*

v4.19.291

v4.19.292

v4.19.293

v4.19.294

v4.19.295

v4.19.296

v4.19.297

v4.19.298

v4.19.299

v4.19.300

v4.19.301

v4.19.302

v4.19.303

v4.19.304

v4.19.305

v4.19.306

v4.19.307

v5.*

v5.10.1

v5.10.10

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.188

v5.10.189

v5.10.19

v5.10.190

v5.10.191

v5.10.192

v5.10.193

v5.10.194

v5.10.195

v5.10.196

v5.10.197

v5.10.198

v5.10.199

v5.10.2

v5.10.200

v5.10.201

v5.10.202

v5.10.203

v5.10.204

v5.10.205

v5.10.206

v5.10.207

v5.10.208

v5.10.209

v5.10.210

v5.10.3

v5.10.4

v5.10.5

v5.10.6

v5.10.7

v5.10.8

v5.10.9

v5.11.1

v5.11.10

v5.11.11

v5.11.12

v5.11.13

v5.11.14

v5.11.15

v5.11.16

v5.11.17

v5.11.18

v5.11.19

v5.11.2

v5.11.20

v5.11.21

v5.11.3

v5.11.4

v5.11.5

v5.11.6

v5.11.7

v5.11.8

v5.11.9

v5.12.1

v5.12.10

v5.12.11

v5.12.12

v5.12.13

v5.12.14

v5.12.15

v5.12.16

v5.12.17

v5.12.18

v5.12.19

v5.12.2

v5.12.3

v5.12.4

v5.12.5

v5.12.6

v5.12.7

v5.12.8

v5.12.9

v5.13.1

v5.13.10

v5.13.11

v5.13.12

v5.13.13

v5.13.14

v5.13.15

v5.13.16

v5.13.17

v5.13.18

v5.13.2

v5.13.3

v5.13.4

v5.13.5

v5.13.6

v5.13.7

v5.13.8

v5.13.9

v5.14.1

v5.14.10

v5.14.11

v5.14.12

v5.14.13

v5.14.14

v5.14.15

v5.14.16

v5.14.17

v5.14.18

v5.14.19

v5.14.2

v5.14.20

v5.14.3

v5.14.4

v5.14.5

v5.14.6

v5.14.7

v5.14.8

v5.14.9

v5.15.1

v5.15.10

v5.15.100

v5.15.101

v5.15.102

v5.15.103

v5.15.104

v5.15.105

v5.15.106

v5.15.107

v5.15.108

v5.15.109

v5.15.11

v5.15.110

v5.15.111

v5.15.112

v5.15.113

v5.15.114

v5.15.115

v5.15.116

v5.15.117

v5.15.118

v5.15.119

v5.15.12

v5.15.120

v5.15.121

v5.15.122

v5.15.123

v5.15.124

v5.15.125

v5.15.126

v5.15.127

v5.15.128

v5.15.129

v5.15.13

v5.15.130

v5.15.131

v5.15.132

v5.15.133

v5.15.134

v5.15.135

v5.15.136

v5.15.137

v5.15.138

v5.15.139

v5.15.14

v5.15.140

v5.15.141

v5.15.142

v5.15.143

v5.15.144

v5.15.145

v5.15.146

v5.15.147

v5.15.148

v5.15.149

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.15.99

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.13

v5.16.14

v5.16.15

v5.16.16

v5.16.17

v5.16.18

v5.16.19

v5.16.2

v5.16.20

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17.1

v5.17.10

v5.17.11

v5.17.12

v5.17.13

v5.17.14

v5.17.2

v5.17.3

v5.17.4

v5.17.5

v5.17.6

v5.17.7

v5.17.8

v5.17.9

v5.18.1

v5.18.10

v5.18.11

v5.18.12

v5.18.13

v5.18.14

v5.18.15

v5.18.16

v5.18.17

v5.18.18

v5.18.19

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.18.6

v5.18.7

v5.18.8

v5.18.9

v5.19.1

v5.19.10

v5.19.11

v5.19.12

v5.19.13

v5.19.14

v5.19.15

v5.19.16

v5.19.2

v5.19.3

v5.19.4

v5.19.5

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v5.4.251

v5.4.252

v5.4.253

v5.4.254

v5.4.255

v5.4.256

v5.4.257

v5.4.258

v5.4.259

v5.4.260

v5.4.261

v5.4.262

v5.4.263

v5.4.264

v5.4.265

v5.4.266

v5.4.267

v5.4.268

v5.4.269

v5.6.1

v5.6.10

v5.6.11

v5.6.12

v5.6.13

v5.6.14

v5.6.15

v5.6.16

v5.6.17

v5.6.18

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.6.7

v5.6.8

v5.6.9

v5.7.1

v5.7.10

v5.7.11

v5.7.12

v5.7.13

v5.7.14

v5.7.15

v5.7.16

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.7.8

v5.7.9

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.13

v5.8.14

v5.8.15

v5.8.16

v5.8.17

v5.8.18

v5.8.2

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

v5.9.1

v5.9.10

v5.9.11

v5.9.12

v5.9.13

v5.9.14

v5.9.15

v5.9.16

v5.9.2

v5.9.3

v5.9.4

v5.9.5

v5.9.6

v5.9.7

v5.9.8

v5.9.9

v6.*

v6.0.1

v6.0.10

v6.0.11

v6.0.12

v6.0.13

v6.0.14

v6.0.15

v6.0.16

v6.0.17

v6.0.18

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.9

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.10

v6.10.11

v6.10.12

v6.10.13

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.10

v6.11.11

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.11.6

v6.11.7

v6.11.8

v6.11.9

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.11

v6.13.12

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.10

v6.14.11

v6.14.2

v6.14.3

v6.14.4

v6.14.5

v6.14.6

v6.14.7

v6.14.8

v6.14.9

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.10

v6.15.11

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.16.1

v6.16.10

v6.16.11

v6.16.2

v6.16.3

v6.16.4

v6.16.5

v6.16.6

v6.16.7

v6.16.8

v6.16.9

v6.2

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.2.15

v6.2.16

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.3.1

v6.3.10

v6.3.11

v6.3.12

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.5.1

v6.5.10

v6.5.11

v6.5.12

v6.5.13

v6.5.2

v6.5.3

v6.5.4

v6.5.5

v6.5.6

v6.5.7

v6.5.8

v6.5.9

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.10

v6.8.11

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

v6.9.1

v6.9.10

v6.9.11

v6.9.12

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

v6.9.7

v6.9.8

v6.9.9

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.19.308

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.270

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.211

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.150

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.80

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.19

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.7.7