CVE-2024-44976

{"id": "CVE-2024-44976", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-09-04T20:15:07.223", "references": [{"url": "https://git.kernel.org/stable/c/709e4c8f78e156ab332297bdd87527ec3da4e2d4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/822c8020aebcf5804a143b891e34f29873fee5e2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_macio: Fix DMA table overflow\n\nKolbj\u00f8rn and Jon\u00e1\u0161 reported that their 32-bit PowerMacs were crashing\nin pata-macio since commit 09fe2bfa6b83 (\"ata: pata_macio: Fix\nmax_segment_size with PAGE_SIZE == 64K\").\n\nFor example:\n\n kernel BUG at drivers/ata/pata_macio.c:544!\n Oops: Exception in kernel mode, sig: 5 [#1]\n BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac\n ...\n NIP pata_macio_qc_prep+0xf4/0x190\n LR pata_macio_qc_prep+0xfc/0x190\n Call Trace:\n 0xc1421660 (unreliable)\n ata_qc_issue+0x14c/0x2d4\n __ata_scsi_queuecmd+0x200/0x53c\n ata_scsi_queuecmd+0x50/0xe0\n scsi_queue_rq+0x788/0xb1c\n __blk_mq_issue_directly+0x58/0xf4\n blk_mq_plug_issue_direct+0x8c/0x1b4\n blk_mq_flush_plug_list.part.0+0x584/0x5e0\n __blk_flush_plug+0xf8/0x194\n __submit_bio+0x1b8/0x2e0\n submit_bio_noacct_nocheck+0x230/0x304\n btrfs_work_helper+0x200/0x338\n process_one_work+0x1a8/0x338\n worker_thread+0x364/0x4c0\n kthread+0x100/0x104\n start_kernel_thread+0x10/0x14\n\nThat commit increased max_segment_size to 64KB, with the justification\nthat the SCSI core was already using that size when PAGE_SIZE == 64KB,\nand that there was existing logic to split over-sized requests.\n\nHowever with a sufficiently large request, the splitting logic causes\neach sg to be split into two commands in the DMA table, leading to\noverflow of the DMA table, triggering the BUG_ON().\n\nWith default settings the bug doesn't trigger, because the request size\nis limited by max_sectors_kb == 1280, however max_sectors_kb can be\nincreased, and apparently some distros do that by default using udev\nrules.\n\nFix the bug for 4KB kernels by reverting to the old max_segment_size.\n\nFor 64KB kernels the sg_tablesize needs to be halved, to allow for the\npossibility that each sg will be split into two."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ata: pata_macio: Fix DMA table overflow Kolbj\u00f8rn y Jon\u00e1\u0161 informaron que sus PowerMacs de 32 bits fallaban en pata-macio desde el commit 09fe2bfa6b83 (\"ata: pata_macio: Fix max_segment_size with PAGE_SIZE == 64K\"). Por ejemplo: \u00a1ERROR del kernel en drivers/ata/pata_macio.c:544! Ups: Excepci\u00f3n en modo kernel, firma: 5 [#1] BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac ... NIP pata_macio_qc_prep+0xf4/0x190 LR pata_macio_qc_prep+0xfc/0x190 Rastreo de llamadas: 0xc1421660 (no confiable) ata_qc_issue+0x14c/0x2d4 __ata_scsi_queuecmd+0x200/0x53c ata_scsi_queuecmd+0x50/0xe0 scsi_queue_rq+0x788/0xb1c __blk_mq_issue_directly+0x58/0xf4 blk_mq_plug_issue_direct+0x8c/0x1b4 blk_mq_flush_plug_list.part.0+0x584/0x5e0 __blk_flush_plug+0xf8/0x194 __submit_bio+0x1b8/0x2e0 submission_bio_noacct_nocheck+0x230/0x304 btrfs_work_helper+0x200/0x338 process_one_work+0x1a8/0x338 worker_thread+0x364/0x4c0 kthread+0x100/0x104 start_kernel_thread+0x10/0x14 Esa confirmaci\u00f3n aument\u00f3 max_segment_size a 64 KB, con la justificaci\u00f3n de que el n\u00facleo SCSI ya estaba usando ese tama\u00f1o cuando PAGE_SIZE == 64 KB, y que exist\u00eda una l\u00f3gica para dividir las solicitudes de gran tama\u00f1o. Sin embargo, con una solicitud lo suficientemente grande, la l\u00f3gica de divisi\u00f3n hace que cada sg se divida en dos comandos en la tabla DMA, lo que provoca un desbordamiento de la tabla DMA y activa el BUG_ON(). Con la configuraci\u00f3n predeterminada, el error no se activa, porque el tama\u00f1o de la solicitud est\u00e1 limitado por max_sectors_kb == 1280, sin embargo, max_sectors_kb se puede aumentar y, aparentemente, algunas distribuciones lo hacen de forma predeterminada utilizando reglas de udev. Corrija el error para los n\u00facleos de 4 KB volviendo al antiguo max_segment_size. Para los n\u00facleos de 64 KB, el sg_tablesize debe reducirse a la mitad, para permitir la posibilidad de que cada sg se divida en dos."}], "lastModified": "2024-10-10T17:50:14.863", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E55C1263-DF43-41EF-8DA8-2BA68DF4FFFD", "versionEndExcluding": "6.10.7", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}