CVE-2024-26766

Unfortunately the commit fd8958efe877 introduced another error causing the descs array to overflow. This reults in further crashes easily reproducible by sendmsg system call.

[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI

[ 1080.869326] RIP: 0010:hfi1ipoibbuildibtx_headers.constprop.0+0xe1/0x2b0 [hfi1]

[ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1ipoibsenddmacommon+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1ipoibsenddmalist+0x62/0x270 [hfi1] [ 1081.032633] hfi1ipoibsend+0x112/0x300 [hfi1] [ 1081.042001] ipoibstartxmit+0x2a9/0x2d0 [ib_ipoib]

[ 1081.046978] devhardstart_xmit+0xc4/0x210

[ 1081.148347] _syssendmsg+0x59/0xa0

crash> ipoibtxreq 0xffff9cfeba229f00 struct ipoibtxreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalescebuf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packetlen = 0x46d, tlen = 0x0, numdesc = 0x0, desclimit = 0x6, nextdescqidx = 0x45c, coalesceidx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMADESC0FIRSTDESCFLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdmahdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdmastatus = 0x0, SDMADESC0LASTDESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 }

If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdmatxreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in padsdmatx_descs() to test the need to expand the descriptor array.

With this patch the crashes are no longer reproducible and the machine is stable.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26766.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d1c1ee052d25ca23735eea912f843bc7834781b4

Fixed

115b7f3bc1dce590a6851a2dcf23dc1100c49790

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

40ac5cb6cbb01afa40881f78b4d2f559fb7065c4

Fixed

5833024a9856f454a964a198c63a57e59e07baf5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179

Fixed

3f38d22e645e2e994979426ea5a35186102ff3c2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bd57756a7e43c7127d0eca1fc5868e705fd0f7ba

Fixed

47ae64df23ed1318e27bd9844e135a5e1c0e6e39

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

eeaf35f4e3b360162081de5e744cf32d6d1b0091

Fixed

52dc9a7a573dbf778625a0efca0fca55489f084b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd8958efe8779d3db19c9124fce593ce681ac709

Fixed

a2fef1d81becf4ff60e1a249477464eae3c3bc2a

Fixed

9034a1bec35e9f725315a3bb6002ef39666114d9

Fixed

e6f57c6881916df39db7d95981a8ad2b9c3458d6

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

0ef9594936d1f078e8599a1cf683b052df2bec00

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26766.json"