CVE-2024-50147
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
07/11/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/mlx5: Fix command bitmask initialization<br />
<br />
Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit<br />
isn&#39;t Initialize during command bitmask Initialization, only during<br />
MANAGE_PAGES.<br />
<br />
In addition, mlx5_cmd_trigger_completions() is trying to trigger<br />
completion for MANAGE_PAGES command as well.<br />
<br />
Hence, in case health error occurred before any MANAGE_PAGES command<br />
have been invoke (for example, during mlx5_enable_hca()),<br />
mlx5_cmd_trigger_completions() will try to trigger completion for<br />
MANAGE_PAGES command, which will result in null-ptr-deref error.[1]<br />
<br />
Fix it by Initialize command bitmask correctly.<br />
<br />
While at it, re-write the code for better understanding.<br />
<br />
[1]<br />
BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]<br />
Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078<br />
CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br />
Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x7e/0xc0<br />
kasan_report+0xb9/0xf0<br />
kasan_check_range+0xec/0x190<br />
mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]<br />
mlx5_cmd_flush+0x94/0x240 [mlx5_core]<br />
enter_error_state+0x6c/0xd0 [mlx5_core]<br />
mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]<br />
process_one_work+0x787/0x1490<br />
? lockdep_hardirqs_on_prepare+0x400/0x400<br />
? pwq_dec_nr_in_flight+0xda0/0xda0<br />
? assign_work+0x168/0x240<br />
worker_thread+0x586/0xd30<br />
? rescuer_thread+0xae0/0xae0<br />
kthread+0x2df/0x3b0<br />
? kthread_complete_and_exit+0x20/0x20<br />
ret_from_fork+0x2d/0x70<br />
? kthread_complete_and_exit+0x20/0x20<br />
ret_from_fork_asm+0x11/0x20<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.1.115 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.59 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2feac1e562be0efc621a6722644a90f355d53473
- https://git.kernel.org/stable/c/d1606090bb294cecb7de3c4ed177f5aa0abd4c4e
- https://git.kernel.org/stable/c/d62b14045c6511a7b2d4948d1a83a4e592deeb05
- https://git.kernel.org/stable/c/d88564c79d1cedaf2655f12261eca0d2796bde4e
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html