发布时间: 2024年8月21日
修改时间: 2024年8月21日
In the Linux kernel, the following vulnerability has been resolved:ionic: fix kernel panic due to multi-buffer handlingCurrently, the ionic_run_xdp() doesn t handle multi-buffer packetsproperly for XDP_TX and XDP_REDIRECT.When a jumbo frame is received, the ionic_run_xdp() first makes xdpframe with all necessary pages in the rx descriptor.And if the action is either XDP_TX or XDP_REDIRECT, it should unmapdma-mapping and reset page pointer to NULL for all pages, not only thefirst page.But it doesn t for SG pages. So, SG pages unexpectedly will be reused.It eventually causes kernel panic.Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTICPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25RIP: 0010:xdp_return_frame+0x42/0x90Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0PKRU: 55555554Call Trace: <IRQ> ? die_addr+0x33/0x90 ? exc_general_protection+0x251/0x2f0 ? asm_exc_general_protection+0x22/0x30 ? xdp_return_frame+0x42/0x90 ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] __napi_poll.constprop.0+0x29/0x1b0 net_rx_action+0x2c4/0x350 handle_softirqs+0xf4/0x320 irq_exit_rcu+0x78/0xa0 common_interrupt+0x77/0x90
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 5.5 | 5.5 |
| Attack Vector | Local | Local |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | None | None |
| Integrity | None | None |
| Availability | High | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-3386 | In the Linux kernel, the following vulnerability has been resolved:ionic: fix kernel panic due to multi-buffer handlingCurrently, the ionic_run_xdp() doesn t handle multi-buffer packetsproperly for XDP_TX and XDP_REDIRECT.When a jumbo frame is received, the ionic_run_xdp() first makes xdpframe with all necessary pages in the rx descriptor.And if the action is either XDP_TX or XDP_REDIRECT, it should unmapdma-mapping and reset page pointer to NULL for all pages, not only thefirst page.But it doesn t for SG pages. So, SG pages unexpectedly will be reused.It eventually causes kernel panic.Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTICPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25RIP: 0010:xdp_return_frame+0x42/0x90Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0PKRU: 55555554Call Trace: <IRQ> ? die_addr+0x33/0x90 ? exc_general_protection+0x251/0x2f0 ? asm_exc_general_protection+0x22/0x30 ? xdp_return_frame+0x42/0x90 ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015] __napi_poll.constprop.0+0x29/0x1b0 net_rx_action+0x2c4/0x350 handle_softirqs+0xf4/0x320 irq_exit_rcu+0x78/0xa0 common_interrupt+0x77/0x90 | 2024年8月21日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | kernel | Unaffected |
| KY3.5.2 | kernel | Unaffected |
| KY3.5.3 | kernel | Unaffected |
| V6 | kernel | Unaffected |
