APPLIED: [SRU][F/J][PATCH 0/1] CVE-2024-41066

[Roxana Nicolescu]

On 25/11/2024 16:12, Massimiliano Pellizzer wrote:
> [Impact]
>
> ibmvnic: Add tx check to prevent skb leak
>
> Below is a summary of how the driver stores a reference to an skb during
> transmit:
>      tx_buff[free_map[consumer_index]]->skb = new_skb;
>      free_map[consumer_index] = IBMVNIC_INVALID_MAP;
>      consumer_index ++;
> Where variable data looks like this:
>      free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]
>                                                 	consumer_index^
>      tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null]
>
> The driver has checks to ensure that free_map[consumer_index] pointed to
> a valid index but there was no check to ensure that this index pointed
> to an unused/null skb address. So, if, by some chance, our free_map and
> tx_buff lists become out of sync then we were previously risking an
> skb memory leak. This could then cause tcp congestion control to stop
> sending packets, eventually leading to ETIMEDOUT.
>
> Therefore, add a conditional to ensure that the skb address is null. If
> not then warn the user (because this is still a bug that should be
> patched) and free the old pointer to prevent memleak/tcp problems.
>
> [Fix]
>
> Oracular: Not affected
> Noble:    Fixed
> Jammy:    Backported from mainline
> Focal:    Backported from mainline
> Bionic:   Sent to ESM ML
> Xenial:   Sent to ESM ML
>
> [Test Case]
>
> Compile tested only.
>
> [Where problems could occur]
>
> The fix affects the ibmvnic driver. An issue with this fix may lead to
> improper handling of network packet buffers, potentially causing packets
> drop or corruption, in virtualized enivronments on IBM systems.
>
> Nick Child (1):
>    ibmvnic: Add tx check to prevent skb leak
>
>   drivers/net/ethernet/ibm/ibmvnic.c | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
>
Applied to focal:linux, jammy:linux master-next branches. Thanks!