In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: stmmac: solucionar el problema de bloqueo para la acción XDP_TX de copia cero Existe un problema de bloqueo al ejecutar la acción XDP_TX de copia cero; el registro de bloqueo se muestra a continuación. [ 216.122464] No se puede manejar la solicitud de paginación del kernel en la dirección virtual fffeffff80000000 [ 216.187524] Error interno: Oops: 0000000096000144 [#1] SMP [ 216.301694] Traza de llamadas: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Pánico del kernel - no sincronizando: Oops: Excepción fatal en interrupción Para la acción XDP_TX, el xdp_buff se convierte a xdp_frame mediante xdp_convert_buff_to_frame(). El tipo de memoria del xdp_frame resultante depende del tipo de memoria del xdp_buff. Para xdp_buff basado en pool de páginas, produce xdp_frame con tipo de memoria MEM_TYPE_PAGE_POOL. Para xdp_buff basado en pool XSK de copia cero, produce xdp_frame con tipo de memoria MEM_TYPE_PAGE_ORDER0. Sin embargo, stmmac_xdp_xmit_back() no verifica el tipo de memoria y siempre usa el tipo de pool de páginas, lo que lleva a mapeos inválidos y causa el bloqueo. Por lo tanto, verifique el tipo de memoria del xdp_buff en stmmac_xdp_xmit_back() para solucionar este problema.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67f140> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67da00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1df180> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8052f440> | Operating System |
| linux | linux_kernel | 5.13 | <built-in method update of dict object at 0x702bdd67c180> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b8052e900> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67e000> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bfc335140> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67fe40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b8052e280> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b80e2e040> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67d1c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b80e2c7c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |