cve-2022-48729
Vulnerability from cvelistv5
Published
2024-06-20 11:13
Modified
2024-12-19 08:06
Summary
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix panic with larger ipoib send_queue_size When the ipoib send_queue_size is increased from the default the following panic happens: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: <TASK> hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0 ? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30 ? inet6_validate_link_af+0x5e/0xf0 ? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300 ? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30 ? update_sd_lb_stats.constprop.144+0xd3/0x820 ? _raw_spin_unlock_irqrestore+0x25/0x37 ? __wake_up_common_lock+0x87/0xc0 ? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size. Fix by using the item size.
Impacted products
Vendor Product Version
Linux Linux Version: 5.16
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-48729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T15:45:31.301094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-27T17:51:36.447Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:25:00.323Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hfi1/ipoib_tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1530d84fba1e459ba55f46aa42649b88773210e7",
              "status": "affected",
              "version": "d47dfc2b00e69001c8eeae71f7e25066ccc36144",
              "versionType": "git"
            },
            {
              "lessThan": "8c83d39cc730378bbac64d67a551897b203a606e",
              "status": "affected",
              "version": "d47dfc2b00e69001c8eeae71f7e25066ccc36144",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hfi1/ipoib_tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix panic with larger ipoib send_queue_size\n\nWhen the ipoib send_queue_size is increased from the default the following\npanic happens:\n\n  RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]\n  Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 \u003cc7\u003e 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0\n  RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286\n  RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f\n  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n  RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101\n  R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200\n  R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001\n  FS:  00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0\n  Call Trace:\n   \u003cTASK\u003e\n   hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]\n   hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]\n   ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]\n   ipoib_stop+0x48/0xc0 [ib_ipoib]\n   __dev_close_many+0x9e/0x110\n   __dev_change_flags+0xd9/0x210\n   dev_change_flags+0x21/0x60\n   do_setlink+0x31c/0x10f0\n   ? __nla_validate_parse+0x12d/0x1a0\n   ? __nla_parse+0x21/0x30\n   ? inet6_validate_link_af+0x5e/0xf0\n   ? cpumask_next+0x1f/0x20\n   ? __snmp6_fill_stats64.isra.53+0xbb/0x140\n   ? __nla_validate_parse+0x47/0x1a0\n   __rtnl_newlink+0x530/0x910\n   ? pskb_expand_head+0x73/0x300\n   ? __kmalloc_node_track_caller+0x109/0x280\n   ? __nla_put+0xc/0x20\n   ? cpumask_next_and+0x20/0x30\n   ? update_sd_lb_stats.constprop.144+0xd3/0x820\n   ? _raw_spin_unlock_irqrestore+0x25/0x37\n   ? __wake_up_common_lock+0x87/0xc0\n   ? kmem_cache_alloc_trace+0x3d/0x3d0\n   rtnl_newlink+0x43/0x60\n\nThe issue happens when the shift that should have been a function of the\ntxq item size mistakenly used the ring size.\n\nFix by using the item size."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:06:36.354Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e"
        }
      ],
      "title": "IB/hfi1: Fix panic with larger ipoib send_queue_size",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48729",
    "datePublished": "2024-06-20T11:13:18.072Z",
    "dateReserved": "2024-06-20T11:09:39.052Z",
    "dateUpdated": "2024-12-19T08:06:36.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48729\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-20T12:15:11.343\",\"lastModified\":\"2024-11-21T07:33:52.697\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nIB/hfi1: Fix panic with larger ipoib send_queue_size\\n\\nWhen the ipoib send_queue_size is increased from the default the following\\npanic happens:\\n\\n  RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]\\n  Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 \u003cc7\u003e 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0\\n  RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286\\n  RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f\\n  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\\n  RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101\\n  R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200\\n  R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001\\n  FS:  00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0\\n  Call Trace:\\n   \u003cTASK\u003e\\n   hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]\\n   hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]\\n   ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]\\n   ipoib_stop+0x48/0xc0 [ib_ipoib]\\n   __dev_close_many+0x9e/0x110\\n   __dev_change_flags+0xd9/0x210\\n   dev_change_flags+0x21/0x60\\n   do_setlink+0x31c/0x10f0\\n   ? __nla_validate_parse+0x12d/0x1a0\\n   ? __nla_parse+0x21/0x30\\n   ? inet6_validate_link_af+0x5e/0xf0\\n   ? cpumask_next+0x1f/0x20\\n   ? __snmp6_fill_stats64.isra.53+0xbb/0x140\\n   ? __nla_validate_parse+0x47/0x1a0\\n   __rtnl_newlink+0x530/0x910\\n   ? pskb_expand_head+0x73/0x300\\n   ? __kmalloc_node_track_caller+0x109/0x280\\n   ? __nla_put+0xc/0x20\\n   ? cpumask_next_and+0x20/0x30\\n   ? update_sd_lb_stats.constprop.144+0xd3/0x820\\n   ? _raw_spin_unlock_irqrestore+0x25/0x37\\n   ? __wake_up_common_lock+0x87/0xc0\\n   ? kmem_cache_alloc_trace+0x3d/0x3d0\\n   rtnl_newlink+0x43/0x60\\n\\nThe issue happens when the shift that should have been a function of the\\ntxq item size mistakenly used the ring size.\\n\\nFix by using the item size.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: Corrija el p\u00e1nico con ipoib send_queue_size m\u00e1s grande Cuando ipoib send_queue_size aumenta respecto del valor predeterminado, ocurre el siguiente p\u00e1nico: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] C\u00f3digo: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00  83 8 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 00000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 00000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 00000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR 2: ffffc9000aa0f118 CR3 : 0000000889c84001 CR4: 00000000001706e0 Seguimiento de llamadas:  hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+ 0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30? inet6_validate_link_af+0x5e/0xf0? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30? update_sd_lb_stats.constprop.144+0xd3/0x820? _raw_spin_unlock_irqrestore+0x25/0x37? __wake_up_common_lock+0x87/0xc0? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 El problema ocurre cuando el cambio que deber\u00eda haber sido una funci\u00f3n del tama\u00f1o del elemento txq us\u00f3 por error el tama\u00f1o del anillo. Arreglar usando el tama\u00f1o del elemento.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.8\",\"matchCriteriaId\":\"0623892A-E3E4-44E6-8A5E-39A0B47AF782\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6E34B23-78B4-4516-9BD8-61B33F4AC49A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.