CVE-2023-52474: Linux kernel vulnerability resolved in IB/hfi1 - non-PAGE_SIZE-end multi-iovec user SDMA requests can cause data corruption

A major vulnerability (CVE-2023-52474) has been resolved in the Linux kernel, specifically concerning hfi1 user SDMA request processing. The vulnerability could lead to data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec. In this long read post, we will walk you through the specific bugs, code snippets, original references, and exploit details.

Original references

- Linux Kernel Mailing List - Patch
- Mailing List Message

user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.

2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet.

Code snippet

void user_sdma_txadd(struct user_sdma_request *req, struct tx_sa_state *sa,
                     u64 addr, u32 len)
{
    struct page *page;
    u64 offset;
    u32 chunk_len;

    offset = (u64)(uintptr_t)addr & ~PAGE_MASK;
    page = find_get_page(req->mr->pd->uobject->context->mm,
                         (addr & PAGE_MASK) >> PAGE_SHIFT);
    chunk_len = min_t(u32, len, TXE_PAYLOAD_BUF_SIZE - sa->chunk.len);

    iowait_wait_event(req->wait, !req->pq->s_txreq->txreq.qp->s_flags &
                                      HFI1_S_STOPPED,
                      req->pq->s_txreq->txreq.flags);
    hfi1_user_sdma_txadd_page_single(req, sa, page, offset, chunk_len);
}

When fixing these bugs, other bugs related to SDMA pin cache (struct mmu_rb_handler) are also addressed in the resolution process:

Issues concerning extending an existing mmu_rb_handler entry (struct mmu_rb_node).

3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock.
4. SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object.

Exploit details

The vulnerability has not affected SDMA packets from hfi1 Verbs or PSM2 since they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. However, if exploited successfully, this vulnerability could lead to data corruption, impacting the overall performance and stability of the system running the affected Linux kernel.

Conclusion

The Linux kernel vulnerability CVE-2023-52474 has been addressed, resolving multiple bugs leading to potential data corruption in user SDMA requests. System administrators and users are strongly encouraged to update their Linux kernel to the patched version to avoid potential exploitation and performance degradation.

Timeline

Published on: 02/26/2024 18:15:07 UTC
Last modified on: 04/17/2024 17:15:54 UTC