5.5
MEDIUM
CVE-2024-26766
IBM Intelsatematic Description Overflow (IB/HFI1 SDMA)
Description

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.

INFO

Published Date :

April 3, 2024, 5:15 p.m.

Last Modified :

Feb. 27, 2025, 9:59 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-26766 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26766.

URL Resource
https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 Patch
https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 Patch
https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 Patch
https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b Patch
https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 Patch
https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 Patch
https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a Patch
https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 Patch
https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 Patch
https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 Patch
https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 Patch
https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b Patch
https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 Patch
https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 Patch
https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a Patch
https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26766 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-26766 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Feb. 27, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-193
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.7 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.19.291 from (excluding) 4.19.308 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.251 from (excluding) 5.4.270 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.188 from (excluding) 5.10.211 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.99 from (excluding) 5.15.150 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.16 from (excluding) 6.1.80 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2.3 from (excluding) 6.6.19
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 Types: Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790
    Added Reference https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2
    Added Reference https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39
    Added Reference https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b
    Added Reference https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5
    Added Reference https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9
    Added Reference https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a
    Added Reference https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 03, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
    Added Reference kernel.org https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26766 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26766 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: