CVE-2024-50147
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50147
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50147.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50147
- Related
- Published
- 2024-11-07T10:15:06Z
- Modified
- 2024-11-18T22:46:25.148604Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix command bitmask initialization
Command bitmask have a dedicated bit for MANAGEPAGES command, this bit isn't Initialize during command bitmask Initialization, only during MANAGEPAGES.
In addition, mlx5cmdtriggercompletions() is trying to trigger completion for MANAGEPAGES command as well.
Hence, in case health error occurred before any MANAGEPAGES command have been invoke (for example, during mlx5enablehca()), mlx5cmdtriggercompletions() will try to trigger completion for MANAGE_PAGES command, which will result in null-ptr-deref error.[1]
Fix it by Initialize command bitmask correctly.
While at it, re-write the code for better understanding.
[1] BUG: KASAN: null-ptr-deref in mlx5cmdtriggercompletions+0x1db/0x600 [mlx5core] Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078 CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2forupstreamdebug202404071901 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5health0000:08:00.0 mlx5fwfatalreportererrwork [mlx5core] Call Trace: <TASK> dumpstacklvl+0x7e/0xc0 kasanreport+0xb9/0xf0 kasancheckrange+0xec/0x190 mlx5cmdtriggercompletions+0x1db/0x600 [mlx5core] mlx5cmdflush+0x94/0x240 [mlx5core] entererrorstate+0x6c/0xd0 [mlx5core] mlx5fwfatalreportererrwork+0xf3/0x480 [mlx5core] processonework+0x787/0x1490 ? lockdephardirqsonprepare+0x400/0x400 ? pwqdecnrinflight+0xda0/0xda0 ? assignwork+0x168/0x240 workerthread+0x586/0xd30 ? rescuerthread+0xae0/0xae0 kthread+0x2df/0x3b0 ? kthreadcompleteandexit+0x20/0x20 retfromfork+0x2d/0x70 ? kthreadcompleteandexit+0x20/0x20 retfromfork_asm+0x11/0x20 </TASK>
- References
-
- https://git.kernel.org/stable/c/2feac1e562be0efc621a6722644a90f355d53473
- https://git.kernel.org/stable/c/d1606090bb294cecb7de3c4ed177f5aa0abd4c4e
- https://git.kernel.org/stable/c/d62b14045c6511a7b2d4948d1a83a4e592deeb05
- https://git.kernel.org/stable/c/d88564c79d1cedaf2655f12261eca0d2796bde4e
- https://security-tracker.debian.org/tracker/CVE-2024-50147
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.115-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.11.6-1