Description

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node could be evicted by another thread that gets mmu_rb_handler->lock and checks mmu_rb_node->refcount before mmu_rb_node->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object. If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmu_rb_node(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.8 HIGH

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127	Patch
https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc	Patch
https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d	Patch
https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678	Patch
https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80	Patch
https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by kernel.org 5/28/2024 4:16:29 PM

Action	Type	Old Value	New Value

CVE Modified by kernel.org 5/14/2024 10:22:26 AM

Action	Type	Old Value	New Value

Initial Analysis by NIST 4/17/2024 1:15:54 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 547 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 5.10.180 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11.0 up to (excluding) 5.15.111 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16.0 up to (excluding) 6.1.28 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2.0 up to (excluding) 6.2.15 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST NVD-CWE-noinfo
Changed	Reference Type	https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127 No Types Assigned	https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc No Types Assigned	https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc Patch
Changed	Reference Type	https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d No Types Assigned	https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d Patch
Changed	Reference Type	https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678 No Types Assigned	https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80 No Types Assigned	https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844 No Types Assigned	https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844 Patch

New CVE Received by NIST 2/26/2024 1:15:07 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 2757 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.
Added	Reference		Linux https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127 [No types assigned]
Added	Reference		Linux https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc [No types assigned]
Added	Reference		Linux https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d [No types assigned]
Added	Reference		Linux https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678 [No types assigned]
Added	Reference		Linux https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80 [No types assigned]
Added	Reference		Linux https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844 [No types assigned]