In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/[email protected]/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: stmmac: fix TSO DMA API usage burning cause oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") movió la asignación de los miembros de tx_skbuff_dma[] para que sea posterior en stmmac_tso_xmit(). El buf (dma cookie) y len almacenados en esta estructura se pasan a dma_unmap_single() por stmmac_tx_clean(). La DMA API requiere que la dma cookie pasada a dma_unmap_single() sea la misma que el valor devuelto desde dma_map_single(). Sin embargo, al mover la asignación más tarde, este no es el caso cuando priv->dma_cap.addr64 > 32 como "des" es desplazado por proto_hdr_len. Esto causa problemas como: dwc-eth-dwmac 2490000.ethernet eth0: el mapa DMA de transmisión falló y con DMA_API_DEBUG habilitado: DMA-API: dwc-eth-dwmac 2490000.ethernet: el controlador del dispositivo intenta +liberar memoria DMA que no ha asignado [dirección del dispositivo=0x000000ffffcf65c0] [tamaño=66 bytes] Solucione esto manteniendo "des" como la cookie DMA original y use tso_des para pasar la cookie DMA de desplazamiento a stmmac_tso_allocator(). Los detalles completos de los fallos se pueden encontrar en: https://lore.kernel.org/all/[email protected]/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6a7fc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f4280> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc3f6900> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6a7880> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bdd6a4880> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bdd6a6c40> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* |