CVE-2021-47615

RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow

For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though
it is a user MR. This causes function mlx5_free_priv_descs() to think that
it is a kernel MR, leading to wrongly accessing mr->descs that will get
wrong values in the union which leads to attempt to release resources that
were not allocated in the first place.

For example:
DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]
WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0
RIP: 0010:check_unmap+0x54f/0x8b0
Call Trace:
debug_dma_unmap_page+0x57/0x60
mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]
mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]
ib_dereg_mr_user+0x60/0x140 [ib_core]
uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]
uobj_destroy+0x3f/0x80 [ib_uverbs]
ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]
? uverbs_finalize_object+0x50/0x50 [ib_uverbs]
? lock_acquire+0xc4/0x2e0
? lock_acquired+0x12/0x380
? lock_acquire+0xc4/0x2e0
? lock_acquire+0xc4/0x2e0
? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
? lock_release+0x28a/0x400
ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]
? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]
__x64_sys_ioctl+0x7f/0xb0
do_syscall_64+0x38/0x90

Fix it by reorganizing the dereg flow and mlx5_ib_mr structure:
- Move the ib_umem field into the user MRs structure in the union as it's
applicable only there.
- Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only
in case there isn't udata, which indicates that this isn't a user MR.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: RDMA/mlx5: Se corrigió la liberación de memoria no asignada en el flujo de MR dereg. Para el caso de IB_MR_TYPE_DM, mr no tiene un umem, aunque sea un usuario MR. Esto hace que la función mlx5_free_priv_descs() piense que es un MR del kernel, lo que lleva a un acceso incorrecto a mr->descs que obtendrá valores incorrectos en la unión, lo que lleva a intentar liberar recursos que no fueron asignados en primer lugar. Por ejemplo: DMA-API: mlx5_core 0000:08:00.1: el controlador de dispositivo intenta liberar la memoria DMA que no ha asignado [dirección del dispositivo=0x0000000000000000] [tamaño=0 bytes] ADVERTENCIA: CPU: 8 PID: 1021 en kernel/dma/ debug.c:961 check_unmap+0x54f/0x8b0 RIP: 0010:check_unmap+0x54f/0x8b0 Seguimiento de llamadas: debug_dma_unmap_page+0x57/0x60 mlx5_free_priv_descs+0x57/0x70 [mlx5_ib] [mlx5_ib] ib_dereg_mr_user+0x60/0x140 [ib_core ] uverbs_destroy_uobject+0x59/0x210 [ib_uverbs] uobj_destroy+0x3f/0x80 [ib_uverbs] ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs] ? uverbs_finalize_object+0x50/0x50 [ib_uverbs] ? lock_acquire+0xc4/0x2e0? lock_adquirido+0x12/0x380? lock_acquire+0xc4/0x2e0? lock_acquire+0xc4/0x2e0? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] ? lock_release+0x28a/0x400 ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] __x64_sys_ioctl+0x7f/0xb0 do_syscall_64+0x38/0x90 Soluciónelo reorganizando el flujo de dereg y la estructura mlx5_ib_mr: - Mueva el campo ib_umem a la estructura MRs del usuario en la unión, ya que solo se aplica allí. - La función mlx5_ib_dereg_mr() ahora llamará a mlx5_free_priv_descs() solo en caso de que no haya udata, lo que indica que no se trata de un usuario MR.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-19 CVE Reserved
2024-06-19 CVE Published
2024-06-20 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/f18ec422311767738ef4033b61e91cae07163b22	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701	2021-12-17
https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9	2022-01-11
https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f	2021-11-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.16"		en		Affected