Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48729

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
20/06/2024
Last modified:
27/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> IB/hfi1: Fix panic with larger ipoib send_queue_size<br /> <br /> When the ipoib send_queue_size is increased from the default the following<br /> panic happens:<br /> <br /> RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]<br /> Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0<br /> RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286<br /> RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f<br /> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000<br /> RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101<br /> R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200<br /> R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001<br /> FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]<br /> hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]<br /> ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]<br /> ipoib_stop+0x48/0xc0 [ib_ipoib]<br /> __dev_close_many+0x9e/0x110<br /> __dev_change_flags+0xd9/0x210<br /> dev_change_flags+0x21/0x60<br /> do_setlink+0x31c/0x10f0<br /> ? __nla_validate_parse+0x12d/0x1a0<br /> ? __nla_parse+0x21/0x30<br /> ? inet6_validate_link_af+0x5e/0xf0<br /> ? cpumask_next+0x1f/0x20<br /> ? __snmp6_fill_stats64.isra.53+0xbb/0x140<br /> ? __nla_validate_parse+0x47/0x1a0<br /> __rtnl_newlink+0x530/0x910<br /> ? pskb_expand_head+0x73/0x300<br /> ? __kmalloc_node_track_caller+0x109/0x280<br /> ? __nla_put+0xc/0x20<br /> ? cpumask_next_and+0x20/0x30<br /> ? update_sd_lb_stats.constprop.144+0xd3/0x820<br /> ? _raw_spin_unlock_irqrestore+0x25/0x37<br /> ? __wake_up_common_lock+0x87/0xc0<br /> ? kmem_cache_alloc_trace+0x3d/0x3d0<br /> rtnl_newlink+0x43/0x60<br /> <br /> The issue happens when the shift that should have been a function of the<br /> txq item size mistakenly used the ring size.<br /> <br /> Fix by using the item size.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.8 (excluding)
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools