CVE-2022-48729

{"id": "CVE-2022-48729", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-06-20T12:15:11.343", "references": [{"url": "https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix panic with larger ipoib send_queue_size\n\nWhen the ipoib send_queue_size is increased from the default the following\npanic happens:\n\n RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]\n Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0\n RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286\n RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101\n R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200\n R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001\n FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0\n Call Trace:\n <TASK>\n hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]\n hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]\n ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]\n ipoib_stop+0x48/0xc0 [ib_ipoib]\n __dev_close_many+0x9e/0x110\n __dev_change_flags+0xd9/0x210\n dev_change_flags+0x21/0x60\n do_setlink+0x31c/0x10f0\n ? __nla_validate_parse+0x12d/0x1a0\n ? __nla_parse+0x21/0x30\n ? inet6_validate_link_af+0x5e/0xf0\n ? cpumask_next+0x1f/0x20\n ? __snmp6_fill_stats64.isra.53+0xbb/0x140\n ? __nla_validate_parse+0x47/0x1a0\n __rtnl_newlink+0x530/0x910\n ? pskb_expand_head+0x73/0x300\n ? __kmalloc_node_track_caller+0x109/0x280\n ? __nla_put+0xc/0x20\n ? cpumask_next_and+0x20/0x30\n ? update_sd_lb_stats.constprop.144+0xd3/0x820\n ? _raw_spin_unlock_irqrestore+0x25/0x37\n ? __wake_up_common_lock+0x87/0xc0\n ? kmem_cache_alloc_trace+0x3d/0x3d0\n rtnl_newlink+0x43/0x60\n\nThe issue happens when the shift that should have been a function of the\ntxq item size mistakenly used the ring size.\n\nFix by using the item size."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: Corrija el p\u00e1nico con ipoib send_queue_size m\u00e1s grande Cuando ipoib send_queue_size aumenta respecto del valor predeterminado, ocurre el siguiente p\u00e1nico: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] C\u00f3digo: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 8 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 00000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 00000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 00000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR 2: ffffc9000aa0f118 CR3 : 0000000889c84001 CR4: 00000000001706e0 Seguimiento de llamadas: hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+ 0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30? inet6_validate_link_af+0x5e/0xf0? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30? update_sd_lb_stats.constprop.144+0xd3/0x820? _raw_spin_unlock_irqrestore+0x25/0x37? __wake_up_common_lock+0x87/0xc0? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 El problema ocurre cuando el cambio que deber\u00eda haber sido una funci\u00f3n del tama\u00f1o del elemento txq us\u00f3 por error el tama\u00f1o del anillo. Arreglar usando el tama\u00f1o del elemento."}], "lastModified": "2024-09-18T16:06:21.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0623892A-E3E4-44E6-8A5E-39A0B47AF782", "versionEndExcluding": "5.16.8", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}