CVE-2023-52474

{"id": "CVE-2023-52474", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-02-26T18:15:07.237", "references": [{"url": "https://git.kernel.org/stable/c/00cbce5cbf88459cd1aa1d60d0f1df15477df127", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7e6010f79b58f45b204cf18aa58f4b73c3f30adc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c4c6512d7330b743c4ffd18bd999a86ca26db0d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2bd706ab63509793b5cd5065e685b7ef5cba678", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c76cb8f4bdf26d04cfa5485a93ce297dba5e6a80", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dce59b5443700fbd0d2433ec6e4d4cf063448844", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests\n\nhfi1 user SDMA request processing has two bugs that can cause data\ncorruption for user SDMA requests that have multiple payload iovecs\nwhere an iovec other than the tail iovec does not run up to the page\nboundary for the buffer pointed to by that iovec.a\n\nHere are the specific bugs:\n1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.\n Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec\n to the packet, even if some of those bytes are past\n iovec->iov.iov_len and are thus not intended to be in the packet.\n2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the\n next iovec in user_sdma_request->iovs when the current iovec\n is not PAGE_SIZE and does not contain enough data to complete the\n packet. The transmitted packet will contain the wrong data from the\n iovec pages.\n\nThis has not been an issue with SDMA packets from hfi1 Verbs or PSM2\nbecause they only produce iovecs that end short of PAGE_SIZE as the tail\niovec of an SDMA request.\n\nFixing these bugs exposes other bugs with the SDMA pin cache\n(struct mmu_rb_handler) that get in way of supporting user SDMA requests\nwith multiple payload iovecs whose buffers do not end at PAGE_SIZE. So\nthis commit fixes those issues as well.\n\nHere are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec\npayload user SDMA requests can hit:\n1. Overlapping memory ranges in mmu_rb_handler will result in duplicate\n pinnings.\n2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node),\n the mmu_rb code (1) removes the existing entry under a lock, (2)\n releases that lock, pins the new pages, (3) then reacquires the lock\n to insert the extended mmu_rb_node.\n\n If someone else comes in and inserts an overlapping entry between (2)\n and (3), insert in (3) will fail.\n\n The failure path code in this case unpins _all_ pages in either the\n original mmu_rb_node or the new mmu_rb_node that was inserted between\n (2) and (3).\n3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is\n incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node\n could be evicted by another thread that gets mmu_rb_handler->lock and\n checks mmu_rb_node->refcount before mmu_rb_node->refcount is\n incremented.\n4. Related to #2 above, SDMA request submission failure path does not\n check mmu_rb_node->refcount before freeing mmu_rb_node object.\n\n If there are other SDMA requests in progress whose iovecs have\n pointers to the now-freed mmu_rb_node(s), those pointers to the\n now-freed mmu_rb nodes will be dereferenced when those SDMA requests\n complete."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: Correcci\u00f3n de errores con solicitudes SDMA de usuarios multi-iovec que no pertenecen al extremo PAGE_SIZE. El procesamiento de solicitudes SDMA del usuario hfi1 tiene dos errores que pueden causar da\u00f1os en los datos de las solicitudes SDMA de los usuarios que tienen m\u00faltiples carga \u00fatil de iovecs donde un iovec que no sea el iovec de cola no se ejecuta hasta el l\u00edmite de la p\u00e1gina para el b\u00fafer se\u00f1alado por ese iovec.a Estos son los errores espec\u00edficos: 1. user_sdma_txadd() no usa la estructura user_sdma_iovec->iov.iov_len. M\u00e1s bien, user_sdma_txadd() sumar\u00e1 PAGE_SIZE bytes desde iovec al paquete, incluso si algunos de esos bytes ya pasaron de iovec->iov.iov_len y, por lo tanto, no est\u00e1n destinados a estar en el paquete. 2. user_sdma_txadd() y user_sdma_send_pkts() no logran avanzar al siguiente iovec en user_sdma_request->iovs cuando el iovec actual no es PAGE_SIZE y no contiene suficientes datos para completar el paquete. El paquete transmitido contendr\u00e1 datos incorrectos de las p\u00e1ginas de iovec. Esto no ha sido un problema con los paquetes SDMA de hfi1 Verbs o PSM2 porque solo producen iovecs que terminan antes de PAGE_SIZE como iovec final de una solicitud SDMA. La correcci\u00f3n de estos errores expone otros errores con el cach\u00e9 de pin SDMA (struct mmu_rb_handler) que impiden admitir solicitudes SDMA del usuario con m\u00faltiples iovecs de carga \u00fatil cuyos buffers no terminan en PAGE_SIZE. Entonces este compromiso tambi\u00e9n soluciona esos problemas. Estos son los errores de mmu_rb_handler que pueden afectar las solicitudes SDMA de usuarios de carga \u00fatil multi-iovec que no son de PAGE_SIZE-end: 1. La superposici\u00f3n de rangos de memoria en mmu_rb_handler dar\u00e1 como resultado fijaciones duplicadas. 2. Al extender una entrada mmu_rb_handler existente (struct mmu_rb_node), el c\u00f3digo mmu_rb (1) elimina la entrada existente bajo un candado, (2) libera ese candado, fija las nuevas p\u00e1ginas, (3) luego vuelve a adquirir el candado para insertar la entrada extendida mmu_rb_node. Si alguien m\u00e1s entra e inserta una entrada superpuesta entre (2) y (3), insertar en (3) fallar\u00e1. En este caso, el c\u00f3digo de ruta de error desancla _todas_ las p\u00e1ginas del mmu_rb_node original o del nuevo mmu_rb_node que se insert\u00f3 entre (2) y (3). 3. En hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount se incrementa fuera de mmu_rb_handler->lock. Como resultado, mmu_rb_node podr\u00eda ser desalojado por otro subproceso que obtenga mmu_rb_handler->lock y verifique mmu_rb_node->refcount antes de que se incremente mmu_rb_node->refcount. 4. En relaci\u00f3n con el punto 2 anterior, la ruta de error de env\u00edo de solicitudes SDMA no verifica mmu_rb_node->refcount antes de liberar el objeto mmu_rb_node. Si hay otras solicitudes de SDMA en curso cuyos iovecs tienen punteros a los nodos mmu_rb_nodos ahora liberados, se eliminar\u00e1 la referencia a esos punteros a los nodos mmu_rb ahora liberados cuando se completen esas solicitudes de SDMA."}], "lastModified": "2024-04-17T17:15:54.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6A4BA4F-9C3D-45AF-84C1-AA030C656EB4", "versionEndExcluding": "5.10.180", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "791D4DFD-38C8-41B4-A5D8-2B2F107DAEBB", "versionEndExcluding": "5.15.111", "versionStartIncluding": "5.11.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52E0FDD8-1605-4311-A121-CAF81C368DA9", "versionEndExcluding": "6.1.28", "versionStartIncluding": "5.16.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE001CB2-61D4-4612-B36D-46A160C7EDB2", "versionEndExcluding": "6.2.15", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "483EFFA1-ECB7-45BA-8A29-33777DFA2AB1", "versionEndExcluding": "6.3.2", "versionStartIncluding": "6.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}