CVE-2021-47078

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47078
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47078.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47078
Related
Published
2024-03-01T22:15:47Z
Modified
2024-11-01T08:35:01Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Clear all QP fields if creation failed

rxeqpdocleanup() relies on valid pointer values in QP for the properly created ones, but in case rxeqpfrominit() failed it was filled with garbage and caused tot the following error.

refcountt: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcountwarnsaturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcountwarnsaturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: refcountsubandtest include/linux/refcount.h:283 [inline] _refcountdecandtest include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] krefput include/linux/kref.h:64 [inline] rxeqpdocleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxeqp.c:805 executeinprocesscontext+0x37/0x150 kernel/workqueue.c:3327 rxeelemrelease+0x9f/0x180 drivers/infiniband/sw/rxe/rxepool.c:391 krefput include/linux/kref.h:65 [inline] rxecreateqp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxeverbs.c:425 ibcreateqp drivers/infiniband/core/corepriv.h:331 [inline] ibcreatenamedqp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ibcreateqp include/rdma/ibverbs.h:3644 [inline] createmadqp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ibmadportopen drivers/infiniband/core/mad.c:3001 [inline] ibmadinitdevice+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 addclientcontext+0x405/0x5e0 drivers/infiniband/core/device.c:717 enabledeviceandget+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ibregisterdevice drivers/infiniband/core/device.c:1413 [inline] ibregisterdevice+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxeregisterdevice+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxeverbs.c:1147 rxeadd+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxenetadd+0x8c/0xe0 drivers/infiniband/sw/rxe/rxenet.c:503 rxenewlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxenewlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldevnewlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdmanlrcvmsg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1312 [inline] netlinkunicast+0x533/0x7d0 net/netlink/afnetlink.c:1338 netlinksendmsg+0x856/0xd90 net/netlink/afnetlink.c:1927 socksendmsgnosec net/socket.c:654 [inline] socksendmsg+0xcf/0x120 net/socket.c:674 _syssendmsg+0x6e8/0x810 net/socket.c:2350 _syssendmsg+0xf3/0x170 net/socket.c:2404 _syssendmsg+0xe5/0x1b0 net/socket.c:2433 dosyscall64+0x3a/0xb0 arch/x86/entry/common.c:47 entrySYSCALL64afterhwframe+0 ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.40-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.40-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.40-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}