From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A616256B9E for ; Fri, 1 Mar 2024 21:16:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709327774; cv=none; b=jrGLDdA4WPqvo34yNiQYg7WY3QjNn28kfkI9H2ZMIS2bn11RVypa419cT6dwEy+RX0kOgBg7CkufPrg31jqlLP3OyXMGH74RjQTIARdVHzie3VsTsV1tBme0Y+o1pFmCCvzioSwsC5MIPXZDZg+f5pWz+94YVciMdVgWs+IkqH0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709327774; c=relaxed/simple; bh=AssnsNIjew6rdHr/lVueDZvyrPkaAoPKwxXPHZEFw0o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=epVgjZp9ieupGSOFy3Fxh0DciCfowwdVzxn8MOtPv5lGvqTi96ZSzzmxmdwsldw01CfNm+u8P/g0+7R8utjNAhq5qbvzoPO9iY1IMv4A1tF3XsKTUrll6YKH3p1oCCSiV3uD5Yjo0ApmLV+Xwv+QXhCqLPrXyCEcuwa+llAlhpU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=flUQFcr6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="flUQFcr6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D3558C433F1; Fri, 1 Mar 2024 21:16:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709327774; bh=AssnsNIjew6rdHr/lVueDZvyrPkaAoPKwxXPHZEFw0o=; h=From:To:Cc:Subject:Date:Reply-to:From; b=flUQFcr6KO3i5y8PCpt9wATh4Ari3eUfxu7EXO9xaC5w27ZE8tE34yLOqOQeWBIi1 Byd2r/jJf/wP5kdSNmTFXqf48ian8c+xYYNEeL4tX9wk1mRl3c0o21OinMWcFtfLrE ngT1xI4pE78N18y/Jio+wEFG9d4Ec3gJTErsBB+s= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2021-47076: RDMA/rxe: Return CQE error if invalid lkey was supplied Date: Fri, 1 Mar 2024 22:15:49 +0100 Message-ID: <2024030142-CVE-2021-47076-a6b6@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The Linux kernel CVE team has assigned CVE-2021-47076 to this issue. Affected and fixed versions =========================== Issue introduced in 4.8 with commit 8700e3e7c485 and fixed in 5.12.7 with commit abe31d25facd Issue introduced in 4.8 with commit 8700e3e7c485 and fixed in 5.13 with commit dc07628bd2bb Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47076 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/sw/rxe/rxe_comp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/abe31d25facdb9109fe2cf69890748295291570c https://git.kernel.org/stable/c/dc07628bd2bbc1da768e265192c28ebd301f509d