Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:ionic: fix kernel panic due to multi-buffer handlingCurrently, the ionic_run_xdp() doesn't handle multi-buffer packetsproperly for XDP_TX and XDP_REDIRECT.When a jumbo frame is received, the ionic_run_xdp() first makes xdpframe with all necessary pages in the rx descriptor.And if the action is either XDP_TX or XDP_REDIRECT, it should unmapdma-mapping and reset page pointer to NULL for all pages, not only thefirst page.But it doesn't for SG pages. So, SG pages unexpectedly will be reused.It eventually causes kernel panic.Oops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTICPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25RIP: 0010:xdp_return_frame+0x42/0x90Code: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0RSP: 0018:ffff99d00122ce08 EFLAGS: 00010202RAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001RDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49RBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000R10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010R13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0FS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0PKRU: 55555554Call Trace:
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds