admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-09-17 18:45:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2021/CVE-2021-473xx/CVE-2021-47399.json
cad-safe-bot 7ce81bf38d Auto-Update: 2024-12-24T17:00:20.670334+00:00
2024-12-24 17:03:42 +00:00

139 lines
8.8 KiB
JSON
Raw Blame History

{
"id": "CVE-2021-47399",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:25.360",
"lastModified": "2024-12-24T16:06:15.200",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup\n\nThe ixgbe driver currently generates a NULL pointer dereference with\nsome machine (online cpus < 63). This is due to the fact that the\nmaximum value of num_xdp_queues is nr_cpu_ids. Code is in\n\"ixgbe_set_rss_queues\"\".\n\nHere's how the problem repeats itself:\nSome machine (online cpus < 63), And user set num_queues to 63 through\nethtool. Code is in the \"ixgbe_set_channels\",\n\tadapter->ring_feature[RING_F_FDIR].limit = count;\n\nIt becomes 63.\n\nWhen user use xdp, \"ixgbe_set_rss_queues\" will set queues num.\n\tadapter->num_rx_queues = rss_i;\n\tadapter->num_tx_queues = rss_i;\n\tadapter->num_xdp_queues = ixgbe_xdp_queues(adapter);\n\nAnd rss_i's value is from\n\tf = &adapter->ring_feature[RING_F_FDIR];\n\trss_i = f->indices = f->limit;\n\nSo \"num_rx_queues\" > \"num_xdp_queues\", when run to \"ixgbe_xdp_setup\",\n\tfor (i = 0; i < adapter->num_rx_queues; i++)\n\t\tif (adapter->xdp_ring[i]->xsk_umem)\n\nIt leads to panic.\n\nCall trace:\n[exception RIP: ixgbe_xdp+368]\nRIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297\nRAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90\nRBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000\nR10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000\nR13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530\nORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc\n 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808\n 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235\n10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384\n11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd\n12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb\n13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88\n14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319\n15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290\n16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8\n17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64\n18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9\n19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c\n\nSo I fix ixgbe_max_channels so that it will not allow a setting of queues\nto be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,\ntake the smaller value of num_rx_queues and num_xdp_queues."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ixgbe: corrige la desreferencia del puntero NULL en ixgbe_xdp_setup. El controlador ixgbe actualmente genera una desreferencia del puntero NULL con alguna m\u00e1quina (cpus en l\u00ednea &lt;63). Esto se debe al hecho de que el valor m\u00e1ximo de num_xdp_queues es nr_cpu_ids. El c\u00f3digo est\u00e1 en \"ixgbe_set_rss_queues\"\". As\u00ed es como el problema se repite: alguna m\u00e1quina (cpus en l\u00ednea &lt;63), y el usuario configur\u00f3 num_queues en 63 a trav\u00e9s de ethtool. El c\u00f3digo est\u00e1 en \"ixgbe_set_channels\", adaptador-&gt;ring_feature[RING_F_FDIR].limit = count; se convierte en 63. Cuando el usuario usa xdp, \"ixgbe_set_rss_queues\" establecer\u00e1 el n\u00famero de colas adaptor-&gt;num_rx_queues = rss_i; = &amp;adapter-&gt;ring_feature[RING_F_FDIR]; rss_i = f-&gt;indices = f-&gt;limit; Entonces \"num_rx_queues\" &gt; \"num_xdp_queues\", cuando se ejecuta en \"ixgbe_xdp_setup\", para (i = 0; i &lt; adaptor-&gt;num_rx_queues; i++) if (adapter-&gt;xdp_ring[i]-&gt;xsk_umem) Genera p\u00e1nico: [excepci\u00f3n RIP: ixgbe_xdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX : 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe1620 2f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIG_RAX: ffffffffffffffff CS: : 0018 7 [ffff9fe16202f8f0] dev_xdp_install en fffffffa89fbbcc 8 [ffff9fe16202f920] dev_change_xdp_fd en fffffffa8a08808 9 [ffff9fe16202f960] do_setlink en fffffffa8a20235 10 [ffff9fe16202fa88] rtnl_setlink en fffffffa8a20384 11 [ffff9fe16202fc78] rtnetlink_rcv_msg en ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlink_rcv_skb en ffffffffa8a717eb 13 [ffff9fe16202fd40] netlink_unicast en fffffffa8a70f88 14 [ffff9fe162 02fd80] netlink_sendmsg en fffffffa8a71319 15 [ffff9fe16202fdf0] sock_sendmsg en ffffffffa89df290 16 [ffff9fe16202fe08] __sys_sendto en ffffffffa89e19c8 17 [ffff9fe16202ff30] __x64_sys_sendto en ffffffffa89e1a64 8 [ffff9fe16202ff38] do_syscall_64 en ffffffffa84042b9 19 [ffff9fe16202ff50] Entry_SYSCALL_64_after_hwframe en ffffffffa8c0008c Entonces arreglo ixgbe_max_channels para que no permita una configuraci\u00f3n de colas ser mayor que num_online_cpus(). Y cuando ejecute ixgbe_xdp_setup, tome el valor m\u00e1s peque\u00f1o de num_rx_queues y num_xdp_queues."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-476"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0",
"versionEndExcluding": "5.10.71",
"matchCriteriaId": "B3E98F08-3632-4238-B6F6-37C8940E21A1"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11",
"versionEndExcluding": "5.14.10",
"matchCriteriaId": "1A437B0D-8305-4C72-B691-D26986A126CF"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*",
"matchCriteriaId": "60134C3A-06E4-48C1-B04F-2903732A4E56"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/20f6c4a31a525edd9ea6243712b868ba0e4e331e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/2744341dd52e935344ca1b4bf189ba0d182a3e8e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/513e605d7a9ce136886cb42ebb2c40e9a6eb6333",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/20f6c4a31a525edd9ea6243712b868ba0e4e331e",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/2744341dd52e935344ca1b4bf189ba0d182a3e8e",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/513e605d7a9ce136886cb42ebb2c40e9a6eb6333",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink