Vulnerability-Lookup

SUSE-SU-2024:1750-1

Vulnerability from csaf_suse - Published: 2024-05-22 11:04 - Updated: 2024-05-22 11:04

Summary

Security update for the Linux Kernel (Live Patch 25 for SLE 15 SP4)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 25 for SLE 15 SP4)

Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_116 fixes several issues. The following security issues were fixed: - CVE-2024-26610: Fixed memory corruption in wifi/iwlwifi (bsc#1221302). - CVE-2022-48651: Fixed an out-of-bound bug in ipvlan caused by unset skb->mac_header (bsc#1223514). - CVE-2024-26766: Fixed SDMA off-by-one error in _pad_sdma_tx_descs() (bsc#1222882).

Patchnames: SUSE-2024-1750,SUSE-SLE-Module-Live-Patching-15-SP4-2024-1750

CVE-2022-48651

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2024-26610

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2024-26766

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2024…	self
	https://bugzilla.suse.com/1221302	self
	https://bugzilla.suse.com/1222882	self
	https://bugzilla.suse.com/1223514	self
	https://www.suse.com/security/cve/CVE-2022-48651/	self
	https://www.suse.com/security/cve/CVE-2024-26610/	self
	https://www.suse.com/security/cve/CVE-2024-26766/	self
	https://www.suse.com/security/cve/CVE-2022-48651	external
	https://bugzilla.suse.com/1223513	external
	https://bugzilla.suse.com/1223514	external
	https://www.suse.com/security/cve/CVE-2024-26610	external
	https://bugzilla.suse.com/1221299	external
	https://bugzilla.suse.com/1221302	external
	https://www.suse.com/security/cve/CVE-2024-26766	external
	https://bugzilla.suse.com/1222726	external
	https://bugzilla.suse.com/1222882	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 25 for SLE 15 SP4)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for the Linux Kernel 5.14.21-150400_24_116 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2024-26610: Fixed memory corruption in wifi/iwlwifi (bsc#1221302).\n- CVE-2022-48651: Fixed an out-of-bound bug in ipvlan caused by unset skb-\u003emac_header (bsc#1223514).\n- CVE-2024-26766: Fixed SDMA off-by-one error in _pad_sdma_tx_descs() (bsc#1222882).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-1750,SUSE-SLE-Module-Live-Patching-15-SP4-2024-1750",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_1750-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:1750-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20241750-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:1750-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2024-May/035333.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221302",
        "url": "https://bugzilla.suse.com/1221302"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1222882",
        "url": "https://bugzilla.suse.com/1222882"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1223514",
        "url": "https://bugzilla.suse.com/1223514"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-48651 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-48651/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26610 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26610/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26766 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26766/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 25 for SLE 15 SP4)",
    "tracking": {
      "current_release_date": "2024-05-22T11:04:22Z",
      "generator": {
        "date": "2024-05-22T11:04:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:1750-1",
      "initial_release_date": "2024-05-22T11:04:22Z",
      "revision_history": [
        {
          "date": "2024-05-22T11:04:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-48651",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-48651"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb-\u003emac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb-\u003emac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n  1. packet_snd() only reset skb-\u003emac_header when sock-\u003etype is SOCK_RAW\n     and skb-\u003eprotocol is not specified as in packet_parse_headers()\n\n  2. packet_direct_xmit() doesn\u0027t reset skb-\u003emac_header as dev_queue_xmit()\n\nIn this case, skb-\u003emac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb-\u003ehead + skb-\u003emac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-48651",
          "url": "https://www.suse.com/security/cve/CVE-2022-48651"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223513 for CVE-2022-48651",
          "url": "https://bugzilla.suse.com/1223513"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223514 for CVE-2022-48651",
          "url": "https://bugzilla.suse.com/1223514"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-22T11:04:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-48651"
    },
    {
      "cve": "CVE-2024-26610",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26610"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix a memory corruption\n\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we\u0027ll write past the buffer.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26610",
          "url": "https://www.suse.com/security/cve/CVE-2024-26610"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221299 for CVE-2024-26610",
          "url": "https://bugzilla.suse.com/1221299"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221302 for CVE-2024-26610",
          "url": "https://bugzilla.suse.com/1221302"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-22T11:04:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26610"
    },
    {
      "cve": "CVE-2024-26766",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26766"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990]  \u003cTASK\u003e\n[ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978]  dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347]  __sys_sendmsg+0x59/0xa0\n\ncrash\u003e ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n  txreq = {\n    list = {\n      next = 0xffff9cfeba229f00,\n      prev = 0xffff9cfeba229f00\n    },\n    descp = 0xffff9cfeba229f40,\n    coalesce_buf = 0x0,\n    wait = 0xffff9cfea4e69a48,\n    complete = 0xffffffffc0fe0760 \u003chfi1_ipoib_sdma_complete\u003e,\n    packet_len = 0x46d,\n    tlen = 0x0,\n    num_desc = 0x0,\n    desc_limit = 0x6,\n    next_descq_idx = 0x45c,\n    coalesce_idx = 0x0,\n    flags = 0x0,\n    descs = {{\n        qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n      }, {\n        qw = {  0x3800014231b108, 0x4}\n      }, {\n        qw = { 0x310000e4ee0fcf0, 0x8}\n      }, {\n        qw = {  0x3000012e9f8000, 0x8}\n      }, {\n        qw = {  0x59000dfb9d0000, 0x8}\n      }, {\n        qw = {  0x78000e02e40000, 0x8}\n      }}\n  },\n  sdma_hdr =  0x400300015528b000,  \u003c\u003c\u003c invalid pointer in the tx request structure\n  sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n  complete = 0x0,\n  priv = 0x0,\n  txq = 0xffff9cfea4e69880,\n  skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26766",
          "url": "https://www.suse.com/security/cve/CVE-2024-26766"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1222726 for CVE-2024-26766",
          "url": "https://bugzilla.suse.com/1222726"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1222882 for CVE-2024-26766",
          "url": "https://bugzilla.suse.com/1222882"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_116-default-2-150400.9.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-22T11:04:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26766"
    }
  ]
}

CVE-2022-48651 (GCVE-0-2022-48651)

Vulnerability from cvelistv5 – Published: 2024-04-28 13:00 – Updated: 2025-05-04 08:20

Title

ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e2b46cd5796f083e4…
	https://git.kernel.org/stable/c/25efdbe5fe542c306…
	https://git.kernel.org/stable/c/bffcdade259c05ab3…
	https://git.kernel.org/stable/c/346e94aa4a9937859…
	https://git.kernel.org/stable/c/ab4a733874ead1206…
	https://git.kernel.org/stable/c/8d06006c7eb75587d…
	https://git.kernel.org/stable/c/b583e6b25bf9321c9…
	https://git.kernel.org/stable/c/81225b2ea161af48e…

Impacted products

Vendor

Product

Version

Linux

Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < e2b46cd5796f083e452fbc624f65b80328b0c1a4 (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 25efdbe5fe542c3063d1948cc4e98abcb57621ca (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < bffcdade259c05ab3436b5fab711612093c275ef (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 346e94aa4a99378592c46d6a34c72703a32bd5be (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < ab4a733874ead120691e8038272d22f8444d3638 (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 8d06006c7eb75587d986da46c48ba9274f94e8e7 (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < b583e6b25bf9321c91154f6c78d2173ef12c4241 (git)
Affected: 2ad7bf3638411cb547f2823df08166c13ab04269 , < 81225b2ea161af48e093f58e8dfee6d705b16af4 (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 4.9.330 , ≤ 4.9.* (semver)
Unaffected: 4.14.295 , ≤ 4.14.* (semver)
Unaffected: 4.19.260 , ≤ 4.19.* (semver)
Unaffected: 5.4.215 , ≤ 5.4.* (semver)
Unaffected: 5.10.146 , ≤ 5.10.* (semver)
Unaffected: 5.15.71 , ≤ 5.15.* (semver)
Unaffected: 5.19.12 , ≤ 5.19.* (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "3.19"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "2ad7bf363841"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-48651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-30T15:57:11.904317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:46.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.603Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e2b46cd5796f083e452fbc624f65b80328b0c1a4",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "25efdbe5fe542c3063d1948cc4e98abcb57621ca",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "bffcdade259c05ab3436b5fab711612093c275ef",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "346e94aa4a99378592c46d6a34c72703a32bd5be",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "ab4a733874ead120691e8038272d22f8444d3638",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "8d06006c7eb75587d986da46c48ba9274f94e8e7",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "b583e6b25bf9321c91154f6c78d2173ef12c4241",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            },
            {
              "lessThan": "81225b2ea161af48e093f58e8dfee6d705b16af4",
              "status": "affected",
              "version": "2ad7bf3638411cb547f2823df08166c13ab04269",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.330",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.260",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.146",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.71",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.330",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.295",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.260",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.215",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.146",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.71",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.12",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb-\u003emac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb-\u003emac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n  1. packet_snd() only reset skb-\u003emac_header when sock-\u003etype is SOCK_RAW\n     and skb-\u003eprotocol is not specified as in packet_parse_headers()\n\n  2. packet_direct_xmit() doesn\u0027t reset skb-\u003emac_header as dev_queue_xmit()\n\nIn this case, skb-\u003emac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb-\u003ehead + skb-\u003emac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:20:35.610Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241"
        },
        {
          "url": "https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4"
        }
      ],
      "title": "ipvlan: Fix out-of-bound bugs caused by unset skb-\u003emac_header",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48651",
    "datePublished": "2024-04-28T13:00:42.929Z",
    "dateReserved": "2024-02-25T13:44:28.317Z",
    "dateUpdated": "2025-05-04T08:20:35.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26610 (GCVE-0-2024-26610)

Vulnerability from cvelistv5 – Published: 2024-02-29 15:52 – Updated: 2025-05-04 08:52

Title

wifi: iwlwifi: fix a memory corruption

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/05dd9facfb9a1e056…
	https://git.kernel.org/stable/c/99a23462fe1a6f709…
	https://git.kernel.org/stable/c/aa2cc9363926991ba…
	https://git.kernel.org/stable/c/870171899d75d43e3…
	https://git.kernel.org/stable/c/f32a81999d0b8e5ce…
	https://git.kernel.org/stable/c/cf4a0d840ecc72fcf…

Impacted products

Vendor

Product

Version

Linux

Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < 05dd9facfb9a1e056752c0901c6e86416037d15a (git)
Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < 99a23462fe1a6f709f0fda3ebbe8b6b193ac75bd (git)
Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < aa2cc9363926991ba74411e3aa0a0ea82c1ffe32 (git)
Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < 870171899d75d43e3d14360f3a4850e90a9c289b (git)
Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < f32a81999d0b8e5ce60afb5f6a3dd7241c17dd67 (git)
Affected: cf29c5b66b9f83939367d90679eb68cdfa2f0356 , < cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.210 , ≤ 5.10.* (semver)
Unaffected: 5.15.149 , ≤ 5.15.* (semver)
Unaffected: 6.1.76 , ≤ 6.1.* (semver)
Unaffected: 6.6.15 , ≤ 6.6.* (semver)
Unaffected: 6.7.3 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26610",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T18:22:31.931608Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:28.637Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:19.572Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/05dd9facfb9a1e056752c0901c6e86416037d15a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/99a23462fe1a6f709f0fda3ebbe8b6b193ac75bd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/aa2cc9363926991ba74411e3aa0a0ea82c1ffe32"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/870171899d75d43e3d14360f3a4850e90a9c289b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f32a81999d0b8e5ce60afb5f6a3dd7241c17dd67"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "05dd9facfb9a1e056752c0901c6e86416037d15a",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            },
            {
              "lessThan": "99a23462fe1a6f709f0fda3ebbe8b6b193ac75bd",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            },
            {
              "lessThan": "aa2cc9363926991ba74411e3aa0a0ea82c1ffe32",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            },
            {
              "lessThan": "870171899d75d43e3d14360f3a4850e90a9c289b",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            },
            {
              "lessThan": "f32a81999d0b8e5ce60afb5f6a3dd7241c17dd67",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            },
            {
              "lessThan": "cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d",
              "status": "affected",
              "version": "cf29c5b66b9f83939367d90679eb68cdfa2f0356",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.210",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.149",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.76",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix a memory corruption\n\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we\u0027ll write past the buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:52:16.227Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/05dd9facfb9a1e056752c0901c6e86416037d15a"
        },
        {
          "url": "https://git.kernel.org/stable/c/99a23462fe1a6f709f0fda3ebbe8b6b193ac75bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa2cc9363926991ba74411e3aa0a0ea82c1ffe32"
        },
        {
          "url": "https://git.kernel.org/stable/c/870171899d75d43e3d14360f3a4850e90a9c289b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f32a81999d0b8e5ce60afb5f6a3dd7241c17dd67"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d"
        }
      ],
      "title": "wifi: iwlwifi: fix a memory corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26610",
    "datePublished": "2024-02-29T15:52:15.796Z",
    "dateReserved": "2024-02-19T14:20:24.130Z",
    "dateUpdated": "2025-05-04T08:52:16.227Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26766 (GCVE-0-2024-26766)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2025-05-04 12:54

Title

IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

Summary

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/115b7f3bc1dce590a…
	https://git.kernel.org/stable/c/5833024a9856f454a…
	https://git.kernel.org/stable/c/3f38d22e645e2e994…
	https://git.kernel.org/stable/c/47ae64df23ed1318e…
	https://git.kernel.org/stable/c/52dc9a7a573dbf778…
	https://git.kernel.org/stable/c/a2fef1d81becf4ff6…
	https://git.kernel.org/stable/c/9034a1bec35e9f725…
	https://git.kernel.org/stable/c/e6f57c6881916df39…

Impacted products

Vendor

Product

Version

Linux

Affected: d1c1ee052d25ca23735eea912f843bc7834781b4 , < 115b7f3bc1dce590a6851a2dcf23dc1100c49790 (git)
Affected: 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 , < 5833024a9856f454a964a198c63a57e59e07baf5 (git)
Affected: 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 , < 3f38d22e645e2e994979426ea5a35186102ff3c2 (git)
Affected: bd57756a7e43c7127d0eca1fc5868e705fd0f7ba , < 47ae64df23ed1318e27bd9844e135a5e1c0e6e39 (git)
Affected: eeaf35f4e3b360162081de5e744cf32d6d1b0091 , < 52dc9a7a573dbf778625a0efca0fca55489f084b (git)
Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < a2fef1d81becf4ff60e1a249477464eae3c3bc2a (git)
Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < 9034a1bec35e9f725315a3bb6002ef39666114d9 (git)
Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < e6f57c6881916df39db7d95981a8ad2b9c3458d6 (git)
Affected: 0ef9594936d1f078e8599a1cf683b052df2bec00 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 4.19.308 , ≤ 4.19.* (semver)
Unaffected: 5.4.270 , ≤ 5.4.* (semver)
Unaffected: 5.10.211 , ≤ 5.10.* (semver)
Unaffected: 5.15.150 , ≤ 5.15.* (semver)
Unaffected: 6.1.80 , ≤ 6.1.* (semver)
Unaffected: 6.6.19 , ≤ 6.6.* (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26766",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-03T18:11:09.801717Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:48:44.178Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.309Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hfi1/sdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "115b7f3bc1dce590a6851a2dcf23dc1100c49790",
              "status": "affected",
              "version": "d1c1ee052d25ca23735eea912f843bc7834781b4",
              "versionType": "git"
            },
            {
              "lessThan": "5833024a9856f454a964a198c63a57e59e07baf5",
              "status": "affected",
              "version": "40ac5cb6cbb01afa40881f78b4d2f559fb7065c4",
              "versionType": "git"
            },
            {
              "lessThan": "3f38d22e645e2e994979426ea5a35186102ff3c2",
              "status": "affected",
              "version": "6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179",
              "versionType": "git"
            },
            {
              "lessThan": "47ae64df23ed1318e27bd9844e135a5e1c0e6e39",
              "status": "affected",
              "version": "bd57756a7e43c7127d0eca1fc5868e705fd0f7ba",
              "versionType": "git"
            },
            {
              "lessThan": "52dc9a7a573dbf778625a0efca0fca55489f084b",
              "status": "affected",
              "version": "eeaf35f4e3b360162081de5e744cf32d6d1b0091",
              "versionType": "git"
            },
            {
              "lessThan": "a2fef1d81becf4ff60e1a249477464eae3c3bc2a",
              "status": "affected",
              "version": "fd8958efe8779d3db19c9124fce593ce681ac709",
              "versionType": "git"
            },
            {
              "lessThan": "9034a1bec35e9f725315a3bb6002ef39666114d9",
              "status": "affected",
              "version": "fd8958efe8779d3db19c9124fce593ce681ac709",
              "versionType": "git"
            },
            {
              "lessThan": "e6f57c6881916df39db7d95981a8ad2b9c3458d6",
              "status": "affected",
              "version": "fd8958efe8779d3db19c9124fce593ce681ac709",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0ef9594936d1f078e8599a1cf683b052df2bec00",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/hfi1/sdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.308",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.211",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.308",
                  "versionStartIncluding": "4.19.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.270",
                  "versionStartIncluding": "5.4.251",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.211",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.150",
                  "versionStartIncluding": "5.15.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.80",
                  "versionStartIncluding": "6.1.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.19",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990]  \u003cTASK\u003e\n[ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978]  dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347]  __sys_sendmsg+0x59/0xa0\n\ncrash\u003e ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n  txreq = {\n    list = {\n      next = 0xffff9cfeba229f00,\n      prev = 0xffff9cfeba229f00\n    },\n    descp = 0xffff9cfeba229f40,\n    coalesce_buf = 0x0,\n    wait = 0xffff9cfea4e69a48,\n    complete = 0xffffffffc0fe0760 \u003chfi1_ipoib_sdma_complete\u003e,\n    packet_len = 0x46d,\n    tlen = 0x0,\n    num_desc = 0x0,\n    desc_limit = 0x6,\n    next_descq_idx = 0x45c,\n    coalesce_idx = 0x0,\n    flags = 0x0,\n    descs = {{\n        qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n      }, {\n        qw = {  0x3800014231b108, 0x4}\n      }, {\n        qw = { 0x310000e4ee0fcf0, 0x8}\n      }, {\n        qw = {  0x3000012e9f8000, 0x8}\n      }, {\n        qw = {  0x59000dfb9d0000, 0x8}\n      }, {\n        qw = {  0x78000e02e40000, 0x8}\n      }}\n  },\n  sdma_hdr =  0x400300015528b000,  \u003c\u003c\u003c invalid pointer in the tx request structure\n  sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n  complete = 0x0,\n  priv = 0x0,\n  txq = 0xffff9cfea4e69880,\n  skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:54:42.053Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790"
        },
        {
          "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39"
        },
        {
          "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6"
        }
      ],
      "title": "IB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26766",
    "datePublished": "2024-04-03T17:00:48.642Z",
    "dateReserved": "2024-02-19T14:20:24.173Z",
    "dateUpdated": "2025-05-04T12:54:42.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2024:1750-1

CVE-2022-48651 (GCVE-0-2022-48651)

CVE-2024-26610 (GCVE-0-2024-26610)

CVE-2024-26766 (GCVE-0-2024-26766)

Tags

Sightings

Nomenclature