发布时间: 2024年9月3日
修改时间: 2024年9月3日
In the Linux kernel, the following vulnerability has been resolved:RDMA/cma: Do not change route.addr.src_addr outside state checksIf the state is not idle then resolve_prepare_src() should immediatelyfail and no change to global state should happen. However, itunconditionally overwrites the src_addr trying to build a temporary anyaddress.For instance if the state is already RDMA_CM_LISTEN then this will corruptthe src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xaeThis is indicating that an rdma_id_private was destroyed without doingcma_cancel_listens().Instead of trying to re-use the src_addr memory to indirectly create anany address derived from the dst build one explicitly on the stack andbind to that as any other normal flow would do. rdma_bind_addr() will copyit over the src_addr once it knows the state is valid.This is similar to commit bc0bdc5afaa7 ( RDMA/cma: Do not changeroute.addr.src_addr.ss_family )
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 7.8 | 7.8 |
| Attack Vector | Local | Local |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | High | High |
| Integrity | High | High |
| Availability | High | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-3615 | In the Linux kernel, the following vulnerability has been resolved:RDMA/cma: Do not change route.addr.src_addr outside state checksIf the state is not idle then resolve_prepare_src() should immediatelyfail and no change to global state should happen. However, itunconditionally overwrites the src_addr trying to build a temporary anyaddress.For instance if the state is already RDMA_CM_LISTEN then this will corruptthe src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xaeThis is indicating that an rdma_id_private was destroyed without doingcma_cancel_listens().Instead of trying to re-use the src_addr memory to indirectly create anany address derived from the dst build one explicitly on the stack andbind to that as any other normal flow would do. rdma_bind_addr() will copyit over the src_addr once it knows the state is valid.This is similar to commit bc0bdc5afaa7 ( RDMA/cma: Do not changeroute.addr.src_addr.ss_family ) | 2024年9月3日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5 | kernel | Unaffected |
| KY3.5.2 | kernel | Unaffected |
| KY3.5.3 | kernel | Unaffected |
| V6 | kernel | Unaffected |
