NVD Vulnerability Detail

CVE-2024-26766

Summary	In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
Publication Date	April 4, 2024, 2:15 a.m.
Registration Date	April 4, 2024, 10 a.m.
Last Update	Feb. 28, 2025, 6:59 a.m.

CVSS3.1 : MEDIUM
スコア	5.5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	高

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::
cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::
cpe:2.3:o:linux:linux_kernel:6.8:rc4::::::
cpe:2.3:o:linux:linux_kernel:6.8:rc2::::::
cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::
cpe:2.3:o:linux:linux_kernel::::::::	6.7			6.7.7
cpe:2.3:o:linux:linux_kernel::::::::	4.19.291			4.19.308
cpe:2.3:o:linux:linux_kernel::::::::	5.4.251			5.4.270
cpe:2.3:o:linux:linux_kernel::::::::	5.10.188			5.10.211
cpe:2.3:o:linux:linux_kernel::::::::	5.15.99			5.15.150
cpe:2.3:o:linux:linux_kernel::::::::	6.1.16			6.1.80
cpe:2.3:o:linux:linux_kernel::::::::	6.2.3			6.6.19

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790	Patch
2	https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790	Patch
3	https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2	Patch
4	https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2	Patch
5	https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39	Patch
6	https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39	Patch
7	https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b	Patch
8	https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b	Patch
9	https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5	Patch
10	https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5	Patch
11	https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9	Patch
12	https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9	Patch
13	https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a	Patch
14	https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a	Patch
15	https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6	Patch
16	https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6	Patch
17	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	Mailing List
18	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html	Mailing List

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-193	境界条件の判定	https://cwe.mitre.org/data/definitions/193.html

JVN Vulnerability Information

Linux の Linux Kernel 等複数ベンダの製品における境界条件の判定に関する脆弱性

Title	Linux の Linux Kernel 等複数ベンダの製品における境界条件の判定に関する脆弱性
Summary	Linux の Linux Kernel 等複数ベンダの製品には、境界条件の判定に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 4, 2024, midnight
Registration Date	March 10, 2025, 5:48 p.m.
Last Update	Aug. 20, 2025, 5:35 p.m.

Affected System

Debian

Debian GNU/Linux 10.0

Linux

Linux Kernel 4.19.291 以上 4.19.308 未満

Linux Kernel 5.10.188 以上 5.10.211 未満

Linux Kernel 5.15.99 以上 5.15.150 未満

Linux Kernel 5.4.251 以上 5.4.270 未満

Linux Kernel 6.1.16 以上 6.1.80 未満

Linux Kernel 6.2.3 以上 6.6.19 未満

Linux Kernel 6.7 以上 6.7.7 未満

Linux Kernel 6.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-26766	https://www.cve.org/CVERecord?id=CVE-2024-26766
National Vulnerability Database (NVD)
2	CVE-2024-26766	https://nvd.nist.gov/vuln/detail/CVE-2024-26766

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-193	https://cwe.mitre.org/data/definitions/193.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 3840-1] linux security update	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
2	[SECURITY] [DLA 3842-1] linux-5.10 security update	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Kernel.org git repositories
3	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (115b7f3)	https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
4	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (3f38d22)	https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
5	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (47ae64d)	https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
6	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (52dc9a7)	https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
7	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (5833024)	https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
8	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (9034a1b)	https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
9	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (a2fef1d)	https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
10	IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (e6f57c6)	https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
Linux Kernel
11	Linux Kernel Archives	https://www.kernel.org

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-25-226-15	https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-15
JVN
2	JVNVU#92169998	https://jvn.jp/vu/JVNVU92169998/index.html

Change Log

No	Changed Details	Date of change
1	[2025年03月10日] 掲載	March 10, 2025, 5:48 p.m.
2	[2025年08月20日] 参考情報：JVN (JVNVU#92169998) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-226-15) を追加	Aug. 20, 2025, 12:34 p.m.