cve-2021-47196
Vulnerability from cvelistv5
Published
2024-04-10 18:56
Modified
2024-11-04 12:01
Severity ?
Summary
RDMA/core: Set send and receive CQ before forwarding to the driver
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47196",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-10T19:32:29.319944Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:04.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:07.459Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b70e072feffa",
              "status": "affected",
              "version": "514aee660df4",
              "versionType": "git"
            },
            {
              "lessThan": "6cd7397d01c4",
              "status": "affected",
              "version": "514aee660df4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n  dump_stack_lvl+0x45/0x59\n  print_address_description.constprop.0+0x1f/0x140\n  kasan_report.cold+0x83/0xdf\n  create_qp.cold+0x164/0x16e [mlx5_ib]\n  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n  create_qp.part.0+0x45b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n  kasan_save_stack+0x1b/0x40\n  __kasan_kmalloc+0xa4/0xd0\n  create_qp.part.0+0x92/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n  kasan_save_stack+0x1b/0x40\n  kasan_set_track+0x1c/0x30\n  kasan_set_free_info+0x20/0x30\n  __kasan_slab_free+0x10c/0x150\n  slab_free_freelist_hook+0xb4/0x1b0\n  kfree+0xe7/0x2a0\n  create_qp.part.0+0x52b/0x6a0 [ib_core]\n  ib_create_qp_user+0x97/0x150 [ib_core]\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n  __x64_sys_ioctl+0x866/0x14d0\n  do_syscall_64+0x3d/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:01:19.499Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0"
        }
      ],
      "title": "RDMA/core: Set send and receive CQ before forwarding to the driver",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47196",
    "datePublished": "2024-04-10T18:56:32.634Z",
    "dateReserved": "2024-03-25T09:12:14.115Z",
    "dateUpdated": "2024-11-04T12:01:19.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47196\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-10T19:15:47.897\",\"lastModified\":\"2024-11-21T06:35:36.543\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/core: Set send and receive CQ before forwarding to the driver\\n\\nPreset both receive and send CQ pointers prior to call to the drivers and\\noverwrite it later again till the mlx4 is going to be changed do not\\noverwrite ibqp properties.\\n\\nThis change is needed for mlx5, because in case of QP creation failure, it\\nwill go to the path of QP destroy which relies on proper CQ pointers.\\n\\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\\n\\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n Call Trace:\\n  dump_stack_lvl+0x45/0x59\\n  print_address_description.constprop.0+0x1f/0x140\\n  kasan_report.cold+0x83/0xdf\\n  create_qp.cold+0x164/0x16e [mlx5_ib]\\n  mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\\n  create_qp.part.0+0x45b/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\n Allocated by task 246:\\n  kasan_save_stack+0x1b/0x40\\n  __kasan_kmalloc+0xa4/0xd0\\n  create_qp.part.0+0x92/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\\n\\n Freed by task 246:\\n  kasan_save_stack+0x1b/0x40\\n  kasan_set_track+0x1c/0x30\\n  kasan_set_free_info+0x20/0x30\\n  __kasan_slab_free+0x10c/0x150\\n  slab_free_freelist_hook+0xb4/0x1b0\\n  kfree+0xe7/0x2a0\\n  create_qp.part.0+0x52b/0x6a0 [ib_core]\\n  ib_create_qp_user+0x97/0x150 [ib_core]\\n  ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\\n  ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\\n  ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\\n  __x64_sys_ioctl+0x866/0x14d0\\n  do_syscall_64+0x3d/0x90\\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/core: Establecer el CQ de env\u00edo y recepci\u00f3n antes de reenviar al controlador Preestablecer los punteros CQ de env\u00edo y recepci\u00f3n antes de llamar a los controladores y sobrescribirlos m\u00e1s tarde nuevamente hasta que se vaya a cambiar mlx4 no sobrescribir las propiedades ibqp. Este cambio es necesario para mlx5, porque en caso de falla en la creaci\u00f3n de QP, ir\u00e1 a la ruta de destrucci\u00f3n de QP que depende de punteros CQ adecuados. BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246 CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x83/0xdf create_qp.cold+0x164/0x16e [mlx5_ib] mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib] create_qp.part.0+0x45b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 246: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0xa4/0xd0 create_qp.part.0+0x92/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 246: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x10c/0x150 slab_free_freelist_hook+0xb4/0x1b0 kfree+0xe7/0x2a0 create_qp.part.0+0x52b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.