CVE-2024-56719
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix TSO DMA API usage causing oops
Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit().
The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len.
This causes problems such as:
dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed
and with DMA_API_DEBUG enabled:
DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]
Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator().
Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ece593fc9c00741b682869d3f3dc584d37b7c9df < 05968b6dd0ffc65d7386608b11a11fb4fdfc9f36 | affected |
| Linux | Linux | a3ff23f7c3f0e13f718900803e090fd3997d6bc9 < 6abcdc9a73274052a9e96a1926994ecf9aedad82 | affected |
| Linux | Linux | 07c9c26e37542486e34d767505e842f48f29c3f6 < db3667c9bbfbbf5de98e6c9542f7e03fb5243286 | affected |
| Linux | Linux | 66600fac7a984dea4ae095411f644770b2561ede < 9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2 | affected |
| Linux | Linux | 66600fac7a984dea4ae095411f644770b2561ede < 4c49f38e20a57f8abaebdf95b369295b153d1f8e | affected |
| Linux | Linux | 58d23d835eb498336716cca55b5714191a309286 | affected |
| Linux | Linux | 5.15.171 < 5.15.209 | affected |
| Linux | Linux | 6.1.116 < 6.1.167 | affected |
| Linux | Linux | 6.6.60 < 6.6.68 | affected |
| Linux | Linux | 6.11.7 < 6.12 | affected |
| Linux | Linux | 6.12 | affected |
| Linux | Linux | 0 < 6.12 | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.68 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.7 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/05968b6dd0ffc65d7386608b11a11fb4fdfc9f36
- https://git.kernel.org/stable/c/6abcdc9a73274052a9e96a1926994ecf9aedad82
- https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286
- https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2
- https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.