CVE-2024-26766

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> IB/hfi1: Fix sdma.h tx-&gt;num_descs off-by-one error<br /> <br /> Unfortunately the commit `fd8958efe877` introduced another error<br /> causing the `descs` array to overflow. This reults in further crashes<br /> easily reproducible by `sendmsg` system call.<br /> <br /> [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI<br /> [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]<br /> --<br /> [ 1080.974535] Call Trace:<br /> [ 1080.976990] <br /> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]<br /> [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]<br /> [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]<br /> [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]<br /> [ 1081.046978] dev_hard_start_xmit+0xc4/0x210<br /> --<br /> [ 1081.148347] __sys_sendmsg+0x59/0xa0<br /> <br /> crash&gt; ipoib_txreq 0xffff9cfeba229f00<br /> struct ipoib_txreq {<br /> txreq = {<br /> list = {<br /> next = 0xffff9cfeba229f00,<br /> prev = 0xffff9cfeba229f00<br /> },<br /> descp = 0xffff9cfeba229f40,<br /> coalesce_buf = 0x0,<br /> wait = 0xffff9cfea4e69a48,<br /> complete = 0xffffffffc0fe0760 ,<br /> packet_len = 0x46d,<br /> tlen = 0x0,<br /> num_desc = 0x0,<br /> desc_limit = 0x6,<br /> next_descq_idx = 0x45c,<br /> coalesce_idx = 0x0,<br /> flags = 0x0,<br /> descs = {{<br /> qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)<br /> }, {<br /> qw = { 0x3800014231b108, 0x4}<br /> }, {<br /> qw = { 0x310000e4ee0fcf0, 0x8}<br /> }, {<br /> qw = { 0x3000012e9f8000, 0x8}<br /> }, {<br /> qw = { 0x59000dfb9d0000, 0x8}<br /> }, {<br /> qw = { 0x78000e02e40000, 0x8}<br /> }}<br /> },<br /> sdma_hdr = 0x400300015528b000,