CVE-2024-53058
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-53058
CVE Details
| Release Date: | 2024-11-19 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nnet: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\nIn case the non-paged data of a SKB carries protocol header and protocol\npayload to be transmitted on a certain platform that the DMA AXI address\nwidth is configured to 40-bit/48-bit, or the size of the non-paged data\nis bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI\naddress width is configured to 32-bit, then this SKB requires at least\ntwo DMA transmit descriptors to serve it.\nFor example, three descriptors are allocated to split one DMA buffer\nmapped from one piece of non-paged data:\ndma_desc[N + 0],\ndma_desc[N + 1],\ndma_desc[N + 2].\nThen three elements of tx_q->tx_skbuff_dma[] will be allocated to hold\nextra information to be reused in stmmac_tx_clean():\ntx_q->tx_skbuff_dma[N + 0],\ntx_q->tx_skbuff_dma[N + 1],\ntx_q->tx_skbuff_dma[N + 2].\nNow we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer\naddress returned by DMA mapping call. stmmac_tx_clean() will try to\nunmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf\nis a valid buffer address.\nThe expected behavior that saves DMA buffer address of this non-paged\ndata to tx_q->tx_skbuff_dma[entry].buf is:\ntx_q->tx_skbuff_dma[N + 0].buf = NULL;\ntx_q->tx_skbuff_dma[N + 1].buf = NULL;\ntx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();\nUnfortunately, the current code misbehaves like this:\ntx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();\ntx_q->tx_skbuff_dma[N + 1].buf = NULL;\ntx_q->tx_skbuff_dma[N + 2].buf = NULL;\nOn the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the\nDMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address\nobviously, then the DMA buffer will be unmapped immediately.\nThere may be a rare case that the DMA engine does not finish the\npending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go\nhorribly wrong, DMA is going to access a unmapped/unreferenced memory\nregion, corrupted data will be transmited or iommu fault will be\ntriggered :(\nIn contrast, the for-loop that maps SKB fragments behaves perfectly\nas expected, and that is how the driver should do for both non-paged\ndata and paged frags actually.\nThis patch corrects DMA map/unmap sequences by fixing the array index\nfor tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.\nTested and verified on DWXGMAC CORE 3.20a
See more information about CVE-2024-53058 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 5.5 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | None |
| Integrity: | None |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
