cve-2021-47481
Vulnerability from cvelistv5
Published
2024-05-22 08:19
Modified
2024-12-19 07:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR Normally the zero fill would hide the missing initialization, but an errant set to desc_size in reg_create() causes a crash: BUG: unable to handle page fault for address: 0000000800000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib] Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8 RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286 RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000 RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0 R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00 FS: 00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib] mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib] ib_dereg_mr_user+0x45/0xb0 [ib_core] ? xas_load+0x8/0x80 destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs] uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs] uobj_destroy+0x3c/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs] ? uverbs_finalize_object+0x60/0x60 [ib_uverbs] ? ttwu_queue_wakelist+0xa9/0xe0 ? pty_write+0x85/0x90 ? file_tty_write.isra.33+0x214/0x330 ? process_echoes+0x60/0x60 ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] __x64_sys_ioctl+0x10d/0x8e0 ? vfs_write+0x17f/0x260 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Add the missing xarray initialization and remove the desc_size set.
Impacted products
Vendor Product Version
Linux Linux Version: 5.13
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47481",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-10T18:54:35.854704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-10T18:54:46.226Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.754Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f6995295f65d1ee6f36d466d26afd98eb797afe",
              "status": "affected",
              "version": "a639e66703ee45745dc4057c7c2013ed9e1963a7",
              "versionType": "git"
            },
            {
              "lessThan": "5508546631a0f555d7088203dec2614e41b5106e",
              "status": "affected",
              "version": "a639e66703ee45745dc4057c7c2013ed9e1963a7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/mr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Initialize the ODP xarray when creating an ODP MR\n\nNormally the zero fill would hide the missing initialization, but an\nerrant set to desc_size in reg_create() causes a crash:\n\n  BUG: unable to handle page fault for address: 0000000800000000\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP PTI\n  CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]\n  Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 \u003c48\u003e 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8\n  RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286\n  RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000\n  RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff\n  R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0\n  R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00\n  FS:  00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]\n   mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]\n   ib_dereg_mr_user+0x45/0xb0 [ib_core]\n   ? xas_load+0x8/0x80\n   destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]\n   uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]\n   uobj_destroy+0x3c/0x70 [ib_uverbs]\n   ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]\n   ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\n   ? ttwu_queue_wakelist+0xa9/0xe0\n   ? pty_write+0x85/0x90\n   ? file_tty_write.isra.33+0x214/0x330\n   ? process_echoes+0x60/0x60\n   ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]\n   __x64_sys_ioctl+0x10d/0x8e0\n   ? vfs_write+0x17f/0x260\n   do_syscall_64+0x3c/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nAdd the missing xarray initialization and remove the desc_size set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:43:14.459Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe"
        },
        {
          "url": "https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e"
        }
      ],
      "title": "RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47481",
    "datePublished": "2024-05-22T08:19:33.512Z",
    "dateReserved": "2024-05-22T06:20:56.200Z",
    "dateUpdated": "2024-12-19T07:43:14.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47481\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T09:15:10.070\",\"lastModified\":\"2024-11-21T06:36:16.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/mlx5: Initialize the ODP xarray when creating an ODP MR\\n\\nNormally the zero fill would hide the missing initialization, but an\\nerrant set to desc_size in reg_create() causes a crash:\\n\\n  BUG: unable to handle page fault for address: 0000000800000000\\n  PGD 0 P4D 0\\n  Oops: 0000 [#1] SMP PTI\\n  CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47\\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n  RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]\\n  Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 \u003c48\u003e 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8\\n  RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286\\n  RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000\\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000\\n  RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff\\n  R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0\\n  R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00\\n  FS:  00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0\\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  Call Trace:\\n   mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]\\n   mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]\\n   ib_dereg_mr_user+0x45/0xb0 [ib_core]\\n   ? xas_load+0x8/0x80\\n   destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]\\n   uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]\\n   uobj_destroy+0x3c/0x70 [ib_uverbs]\\n   ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]\\n   ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\\n   ? ttwu_queue_wakelist+0xa9/0xe0\\n   ? pty_write+0x85/0x90\\n   ? file_tty_write.isra.33+0x214/0x330\\n   ? process_echoes+0x60/0x60\\n   ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]\\n   __x64_sys_ioctl+0x10d/0x8e0\\n   ? vfs_write+0x17f/0x260\\n   do_syscall_64+0x3c/0x80\\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\nAdd the missing xarray initialization and remove the desc_size set.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/mlx5: inicialice el xarray ODP al crear un ODP MR. Normalmente, el relleno con ceros ocultar\u00eda la inicializaci\u00f3n faltante, pero un conjunto err\u00f3neo en desc_size en reg_create() provoca un bloqueo: ERROR : no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: 0000000800000000 PGD 0 P4D 0 Ups: 0000 [#1] SMP PTI CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47 Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS REL-1.13.0-0-GF21B5A4AB02-PreBuilt e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 \u0026lt;48\u0026gt; 8b 2f 65 48 8b 04 25 28 00 0 00 48 89 44 24 28 31 c0 8b 87 c8 RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286 RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000 RDX: 00000000000 RSI: 0000000000000000 RDI: 0000000800000000 RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff R10: 8f8 R11: ffff88811afa38f0 R12: fffffffa02c7ac0 R13: 00000000000000000000 R14: FFFF88811AFA3CD8 R15: FFFFF888810772200 FS: 00007F47B9080740 (0000) GS: FFFF88852CD40000 (0000) Knlgs: 00000000000000 C. : 0000000080050033 CR2: 0000000800000000 CR3: 000000010761E003 CR4: 0000000000370EA0 DR0: 000000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: mlx5_ib_free_odp_mr+0x95/0xc0 5_ib] mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib] ib_dereg_mr_user+0x45/0xb0 [ib_core] ? xas_load+0x8/0x80 destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs] uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs] uobj_destroy+0x3c/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uver bs] ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]? ttwu_queue_wakelist+0xa9/0xe0 ? pty_write+0x85/0x90? file_tty_write.isra.33+0x214/0x330 ? Process_echoes+0x60/0x60 ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] __x64_sys_ioctl+0x10d/0x8e0? vfs_write+0x17f/0x260 do_syscall_64+0x3c/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae Agregue la inicializaci\u00f3n de xarray que falta y elimine el conjunto desc_size.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5508546631a0f555d7088203dec2614e41b5106e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5f6995295f65d1ee6f36d466d26afd98eb797afe\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.