cve-2021-47562
Vulnerability from cvelistv5
Published
2024-05-24 15:12
Modified
2024-08-04 05:39
Severity
Summary
ice: fix vsi->txq_map sizing
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T17:03:56.784042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:14:36.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1eb5395add78",
"status": "affected",
"version": "efc2214b6047",
"versionType": "git"
},
{
"lessThan": "992ba40a6763",
"status": "affected",
"version": "efc2214b6047",
"versionType": "git"
},
{
"lessThan": "792b2086584f",
"status": "affected",
"version": "efc2214b6047",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.83",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.6",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix vsi-\u003etxq_map sizing\n\nThe approach of having XDP queue per CPU regardless of user\u0027s setting\nexposed a hidden bug that could occur in case when Rx queue count differ\nfrom Tx queue count. Currently vsi-\u003etxq_map\u0027s size is equal to the\ndoubled vsi-\u003ealloc_txq, which is not correct due to the fact that XDP\nrings were previously based on the Rx queue count. Below splat can be\nseen when ethtool -L is used and XDP rings are configured:\n\n[ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f\n[ 682.883403] #PF: supervisor read access in kernel mode\n[ 682.889345] #PF: error_code(0x0000) - not-present page\n[ 682.895289] PGD 0 P4D 0\n[ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1\n[ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 682.923380] RIP: 0010:devres_remove+0x44/0x130\n[ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f \u003c4c\u003e 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8\n[ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002\n[ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370\n[ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000\n[ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000\n[ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60\n[ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c\n[ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000\n[ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0\n[ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 683.038336] Call Trace:\n[ 683.041167] devm_kfree+0x33/0x50\n[ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice]\n[ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice]\n[ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice]\n[ 683.060697] ice_set_channels+0x14f/0x290 [ice]\n[ 683.065962] ethnl_set_channels+0x333/0x3f0\n[ 683.070807] genl_family_rcv_msg_doit+0xea/0x150\n[ 683.076152] genl_rcv_msg+0xde/0x1d0\n[ 683.080289] ? channels_prepare_data+0x60/0x60\n[ 683.085432] ? genl_get_cmd+0xd0/0xd0\n[ 683.089667] netlink_rcv_skb+0x50/0xf0\n[ 683.094006] genl_rcv+0x24/0x40\n[ 683.097638] netlink_unicast+0x239/0x340\n[ 683.102177] netlink_sendmsg+0x22e/0x470\n[ 683.106717] sock_sendmsg+0x5e/0x60\n[ 683.110756] __sys_sendto+0xee/0x150\n[ 683.114894] ? handle_mm_fault+0xd0/0x2a0\n[ 683.119535] ? do_user_addr_fault+0x1f3/0x690\n[ 683.134173] __x64_sys_sendto+0x25/0x30\n[ 683.148231] do_syscall_64+0x3b/0xc0\n[ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix this by taking into account the value that num_possible_cpus()\nyields in addition to vsi-\u003ealloc_txq instead of doubling the latter."
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T05:10:09.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241"
},
{
"url": "https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c"
},
{
"url": "https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913"
}
],
"title": "ice: fix vsi-\u003etxq_map sizing",
"x_generator": {
"engine": "bippy-a5840b7849dd"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47562",
"datePublished": "2024-05-24T15:12:50.733Z",
"dateReserved": "2024-05-24T15:11:00.728Z",
"dateUpdated": "2024-08-04T05:39:59.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-47562\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:20.797\",\"lastModified\":\"2024-05-24T18:09:20.027\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nice: fix vsi-\u003etxq_map sizing\\n\\nThe approach of having XDP queue per CPU regardless of user\u0027s setting\\nexposed a hidden bug that could occur in case when Rx queue count differ\\nfrom Tx queue count. Currently vsi-\u003etxq_map\u0027s size is equal to the\\ndoubled vsi-\u003ealloc_txq, which is not correct due to the fact that XDP\\nrings were previously based on the Rx queue count. Below splat can be\\nseen when ethtool -L is used and XDP rings are configured:\\n\\n[ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f\\n[ 682.883403] #PF: supervisor read access in kernel mode\\n[ 682.889345] #PF: error_code(0x0000) - not-present page\\n[ 682.895289] PGD 0 P4D 0\\n[ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1\\n[ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\\n[ 682.923380] RIP: 0010:devres_remove+0x44/0x130\\n[ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f \u003c4c\u003e 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8\\n[ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002\\n[ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370\\n[ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000\\n[ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000\\n[ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60\\n[ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c\\n[ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000\\n[ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0\\n[ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 683.038336] Call Trace:\\n[ 683.041167] devm_kfree+0x33/0x50\\n[ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice]\\n[ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice]\\n[ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice]\\n[ 683.060697] ice_set_channels+0x14f/0x290 [ice]\\n[ 683.065962] ethnl_set_channels+0x333/0x3f0\\n[ 683.070807] genl_family_rcv_msg_doit+0xea/0x150\\n[ 683.076152] genl_rcv_msg+0xde/0x1d0\\n[ 683.080289] ? channels_prepare_data+0x60/0x60\\n[ 683.085432] ? genl_get_cmd+0xd0/0xd0\\n[ 683.089667] netlink_rcv_skb+0x50/0xf0\\n[ 683.094006] genl_rcv+0x24/0x40\\n[ 683.097638] netlink_unicast+0x239/0x340\\n[ 683.102177] netlink_sendmsg+0x22e/0x470\\n[ 683.106717] sock_sendmsg+0x5e/0x60\\n[ 683.110756] __sys_sendto+0xee/0x150\\n[ 683.114894] ? handle_mm_fault+0xd0/0x2a0\\n[ 683.119535] ? do_user_addr_fault+0x1f3/0x690\\n[ 683.134173] __x64_sys_sendto+0x25/0x30\\n[ 683.148231] do_syscall_64+0x3b/0xc0\\n[ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\nFix this by taking into account the value that num_possible_cpus()\\nyields in addition to vsi-\u003ealloc_txq instead of doubling the latter.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ice: corregir el tama\u00f1o de vsi-\u0026gt;txq_map El enfoque de tener una cola XDP por CPU independientemente de la configuraci\u00f3n del usuario expuso un error oculto que podr\u00eda ocurrir en caso de que el recuento de la cola de Rx difiera del recuento de la cola de Tx . Actualmente, el tama\u00f1o de vsi-\u0026gt;txq_map es igual al doble de vsi-\u0026gt;alloc_txq, lo cual no es correcto debido al hecho de que los anillos XDP se basaban anteriormente en el recuento de colas de Rx. A continuaci\u00f3n se puede ver el s\u00edmbolo cuando se usa ethtool -L y se configuran los anillos XDP: [682.875339] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 000000000000000f [682.883403] #PF: acceso de lectura del supervisor en modo kernel [682.889345] #PF: error_code( 0x0000) - p\u00e1gina no presente [682.895289] PGD 0 P4D 0 [682.898218] Ups: 0000 [#1] PREEMPT SMP PTI [682.903055] CPU: 42 PID: 2878 Comm: ethtool Contaminado: G OE 5.15.0-rc5+ #1 [ 682.912214] Nombre del hardware: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 19/05/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f \u0026lt;4c\u0026gt; 3b 63 10 74 25 8 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP : ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 00000000000000286 R11: 3ffffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0 000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 0000000000000000f CR3: 0000001080a66003 CR4: 06e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 0ff0DR7: 0000000000000400 [683.038336] Seguimiento de llamadas: [683.041167] devm_kfree+0x33/0x50 [683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [683.050380] 8/0x750 [hielo] [683.055543] ice_vsi_recfg_qs+0x9a/0x110 [hielo] [683.060697 ] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] 1d0 [683.080289] ? canales_prepare_data+0x60/0x60 [683.085432]? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] endmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+ 0xee/0x150 [683.114894] ? handle_mm_fault+0xd0/0x2a0 [683.119535]? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] Entry_SYSCALL_64_after_hwframe+0x44/ 0xae Solucione este problema teniendo en cuenta el valor que arroja num_possible_cpus() produce adem\u00e1s de vsi-\u0026gt;alloc_txq en lugar de duplicar este \u00faltimo.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...