CVE-2024-53058

{"id": "CVE-2024-53058", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-11-19T18:15:25.767", "references": [{"url": "https://git.kernel.org/stable/c/07c9c26e37542486e34d767505e842f48f29c3f6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58d23d835eb498336716cca55b5714191a309286", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/66600fac7a984dea4ae095411f644770b2561ede", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a3ff23f7c3f0e13f718900803e090fd3997d6bc9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ece593fc9c00741b682869d3f3dc584d37b7c9df", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\n\nIn case the non-paged data of a SKB carries protocol header and protocol\npayload to be transmitted on a certain platform that the DMA AXI address\nwidth is configured to 40-bit/48-bit, or the size of the non-paged data\nis bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI\naddress width is configured to 32-bit, then this SKB requires at least\ntwo DMA transmit descriptors to serve it.\n\nFor example, three descriptors are allocated to split one DMA buffer\nmapped from one piece of non-paged data:\n dma_desc[N + 0],\n dma_desc[N + 1],\n dma_desc[N + 2].\nThen three elements of tx_q->tx_skbuff_dma[] will be allocated to hold\nextra information to be reused in stmmac_tx_clean():\n tx_q->tx_skbuff_dma[N + 0],\n tx_q->tx_skbuff_dma[N + 1],\n tx_q->tx_skbuff_dma[N + 2].\nNow we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer\naddress returned by DMA mapping call. stmmac_tx_clean() will try to\nunmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf\nis a valid buffer address.\n\nThe expected behavior that saves DMA buffer address of this non-paged\ndata to tx_q->tx_skbuff_dma[entry].buf is:\n tx_q->tx_skbuff_dma[N + 0].buf = NULL;\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();\nUnfortunately, the current code misbehaves like this:\n tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = NULL;\n\nOn the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the\nDMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address\nobviously, then the DMA buffer will be unmapped immediately.\nThere may be a rare case that the DMA engine does not finish the\npending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go\nhorribly wrong, DMA is going to access a unmapped/unreferenced memory\nregion, corrupted data will be transmited or iommu fault will be\ntriggered :(\n\nIn contrast, the for-loop that maps SKB fragments behaves perfectly\nas expected, and that is how the driver should do for both non-paged\ndata and paged frags actually.\n\nThis patch corrects DMA map/unmap sequences by fixing the array index\nfor tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.\n\nTested and verified on DWXGMAC CORE 3.20a"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: stmmac: TSO: Fix DMA map/unmap no balanceado para datos SKB no paginados En caso de que los datos no paginados de un SKB lleven encabezado de protocolo y payload de protocolo para ser transmitidos en una determinada plataforma que el ancho de direcci\u00f3n DMA AXI est\u00e1 configurado a 40 bits/48 bits, o el tama\u00f1o de los datos no paginados es mayor que TSO_MAX_BUFF_SIZE en una determinada plataforma que el ancho de direcci\u00f3n DMA AXI est\u00e1 configurado a 32 bits, entonces este SKB requiere al menos dos descriptores de transmisi\u00f3n DMA para servirlo. Por ejemplo, se asignan tres descriptores para dividir un buffer DMA mapeado a partir de una pieza de datos no paginados: dma_desc[N + 0], dma_desc[N + 1], dma_desc[N + 2]. Luego, se asignar\u00e1n tres elementos de tx_q->tx_skbuff_dma[] para almacenar informaci\u00f3n adicional que se reutilizar\u00e1 en stmmac_tx_clean(): tx_q->tx_skbuff_dma[N + 0], tx_q->tx_skbuff_dma[N + 1], tx_q->tx_skbuff_dma[N + 2]. Ahora nos centramos en tx_q->tx_skbuff_dma[entry].buf, que es la direcci\u00f3n del b\u00fafer DMA devuelta por la llamada de mapeo DMA. stmmac_tx_clean() intentar\u00e1 desasignar el b\u00fafer DMA _SOLO_SI_ tx_q->tx_skbuff_dma[entry].buf es una direcci\u00f3n de b\u00fafer v\u00e1lida. El comportamiento esperado que guarda la direcci\u00f3n del buffer DMA de estos datos no paginados en tx_q->tx_skbuff_dma[entrada].buf es: tx_q->tx_skbuff_dma[N + 0].buf = NULL; tx_q->tx_skbuff_dma[N + 1].buf = NULL; tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single(); Desafortunadamente, el c\u00f3digo actual se comporta mal de esta manera: tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single(); tx_q->tx_skbuff_dma[N + 1].buf = NULL; tx_q->tx_skbuff_dma[N + 2].buf = NULL; En el lado stmmac_tx_clean(), cuando el motor DMA cierra dma_desc[N + 0], tx_q->tx_skbuff_dma[N + 0].buf es obviamente una direcci\u00f3n de b\u00fafer v\u00e1lida, entonces el b\u00fafer DMA se desasignar\u00e1 inmediatamente. Puede haber un caso poco com\u00fan en el que el motor DMA no finalice a\u00fan los dma_desc[N + 1], dma_desc[N + 2] pendientes. Ahora las cosas saldr\u00e1n terriblemente mal, DMA acceder\u00e1 a una regi\u00f3n de memoria no mapeada/no referenciada, se transmitir\u00e1n datos corruptos o se activar\u00e1 un error de iommu :( Por el contrario, el bucle for que mapea fragmentos SKB se comporta perfectamente como se espera, y as\u00ed es como el controlador deber\u00eda funcionar tanto para datos no paginados como para fragmentos paginados en realidad. Este parche corrige las secuencias de mapeo/desasignamiento de DMA al arreglar el \u00edndice de matriz para tx_q->tx_skbuff_dma[entry].buf al asignar la direcci\u00f3n del b\u00fafer de DMA. Probado y verificado en DWXGMAC CORE 3.20a"}], "lastModified": "2024-11-22T17:53:32.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7B2EF6A-A80D-4A30-B1E9-7DBA47DFA518", "versionEndExcluding": "5.15.171", "versionStartIncluding": "4.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43EFDC15-E4D4-4F1E-B70D-62F0854BFDF3", "versionEndExcluding": "6.1.116", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75088E5E-2400-4D20-915F-7A65C55D9CCD", "versionEndExcluding": "6.6.60", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E96F53A4-5E87-4A70-BD9A-BC327828D57F", "versionEndExcluding": "6.11.7", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}