cve-2021-47196
Vulnerability from cvelistv5
Published
2024-04-10 18:56
Modified
2024-11-04 12:01
Severity ?
Summary
RDMA/core: Set send and receive CQ before forwarding to the driver
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47196",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-10T19:32:29.319944Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:04.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:07.459Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b70e072feffa",
              "status": "affected",
              "version": "514aee660df4",
              "versionType": "git"
            },
            {
              "lessThan": "6cd7397d01c4",
              "status": "affected",
              "version": "514aee660df4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n  dump_stack_lvl+0x45/0x59\n  print_address_description.constprop.0+0x1f/0x140\n  kasan_report.cold+0x83/0xdf\n  create_qp.cold+0x164/0x16e [mlx5_ib]\n  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n  create_qp.part.0+0x45b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n  kasan_save_stack+0x1b/0x40\n  __kasan_kmalloc+0xa4/0xd0\n  create_qp.part.0+0x92/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n  kasan_save_stack+0x1b/0x40\n  kasan_set_track+0x1c/0x30\n  kasan_set_free_info+0x20/0x30\n  __kasan_slab_free+0x10c/0x150\n  slab_free_freelist_hook+0xb4/0x1b0\n  kfree+0xe7/0x2a0\n  create_qp.part.0+0x52b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:01:19.499Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
        }
      ],
      "title": "RDMA/core: Set send and receive CQ before forwarding to the driver",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47196",
    "datePublished": "2024-04-10T18:56:32.634Z",
    "dateReserved": "2024-03-25T09:12:14.115Z",
    "dateUpdated": "2024-11-04T12:01:19.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47196\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-10T19:15:47.897\",\"lastModified\":\"2024-04-10T19:49:51.183\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/core: Set send and receive CQ before forwarding to the driver\\n\\nPreset both receive and send CQ pointers prior to call to the drivers and\\noverwrite it later again till the mlx4 is going to be changed do not\\noverwrite ibqp properties.\\n\\nThis change is needed for mlx5, because in case of QP creation failure, it\\nwill go to the path of QP destroy which relies on proper CQ pointers.\\n\\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\\n\\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n Call Trace:\\n  dump_stack_lvl+0x45/0x59\\n  print_address_description.constprop.0+0x1f/0x140\\n  kasan_report.cold+0x83/0xdf\\n  create_qp.cold+0x164/0x16e [mlx5_ib]\\n  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\\n  create_qp.part.0+0x45b/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\n Allocated by task 246:\\n  kasan_save_stack+0x1b/0x40\\n  __kasan_kmalloc+0xa4/0xd0\\n  create_qp.part.0+0x92/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\n Freed by task 246:\\n  kasan_save_stack+0x1b/0x40\\n  kasan_set_track+0x1c/0x30\\n  kasan_set_free_info+0x20/0x30\\n  __kasan_slab_free+0x10c/0x150\\n  slab_free_freelist_hook+0xb4/0x1b0\\n  kfree+0xe7/0x2a0\\n  create_qp.part.0+0x52b/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.