CVE-2024-26766: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
AI Analysis
Technical Summary
CVE-2024-26766 is a vulnerability in the Linux kernel's InfiniBand (IB) hfi1 driver, specifically related to the handling of SDMA (System Direct Memory Access) transmit descriptors in the ipoib (IP over InfiniBand) subsystem. The vulnerability arises from an off-by-one error introduced in commit fd8958efe877, which causes an overflow of the 'descs' array within the ipoib_txreq structure when an SDMA send operation involves exactly six descriptors and requires dword padding in a seventh descriptor. This improper handling leads to a buffer overflow into adjacent memory within the container structure, corrupting data and causing kernel panics or crashes during send completion. The issue is reproducible via the sendmsg system call, which triggers the transmission process. Kernel logs indicate a general protection fault due to an invalid pointer dereference, with call traces pointing to the hfi1_ipoib_send_dma_common and related functions. The root cause is the incorrect calculation of the descriptor array size in the _pad_sdma_tx_descs() function, which fails to properly expand the array when padding is needed. The fix involves correcting this expression to ensure the descriptor array is adequately sized, preventing overflow and stabilizing the system. This vulnerability affects multiple recent Linux kernel versions identified by specific commit hashes and is relevant to systems utilizing InfiniBand networking with the hfi1 driver. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, especially those operating in high-performance computing (HPC), research institutions, data centers, and enterprises relying on InfiniBand networking for low-latency, high-throughput communication, this vulnerability poses a risk of system instability and denial of service (DoS). The kernel panic and crashes triggered by this flaw can disrupt critical applications, leading to downtime and potential data loss. While the vulnerability does not directly indicate privilege escalation or remote code execution, the resulting instability can impact availability and operational continuity. Organizations using Linux kernels with the affected hfi1 driver versions are at risk if they utilize the sendmsg system call in contexts involving SDMA transmissions with specific descriptor counts. Given the specialized nature of InfiniBand hardware, the impact is more pronounced in sectors with advanced networking infrastructure. European entities in scientific research, financial services, and telecommunications that deploy InfiniBand are particularly susceptible. Additionally, the instability could indirectly affect multi-tenant cloud environments or service providers hosting HPC workloads, potentially impacting European customers and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately identify Linux systems running affected kernel versions with the hfi1 InfiniBand driver enabled, focusing on those utilizing ipoib and SDMA features. 2) Apply the official Linux kernel patches that correct the _pad_sdma_tx_descs() function to properly size the descriptor array, ensuring the fix is backported to stable kernel releases if necessary. 3) Where patching is delayed, consider temporarily disabling InfiniBand ipoib networking or restricting the use of sendmsg calls that trigger SDMA transmissions with six descriptors and padding, if feasible. 4) Monitor kernel logs for signs of general protection faults or crashes related to hfi1_ipoib functions to detect exploitation attempts or instability. 5) Implement rigorous testing of kernel updates in staging environments to validate stability before production deployment. 6) Engage with hardware vendors and Linux distribution maintainers to receive timely updates and advisories. 7) Educate system administrators about the specific conditions triggering the vulnerability to avoid inadvertent triggering during routine operations. These steps go beyond generic advice by focusing on the specific driver, function, and usage patterns involved in the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Finland, Italy
CVE-2024-26766: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.
AI-Powered Analysis
Technical Analysis
CVE-2024-26766 is a vulnerability in the Linux kernel's InfiniBand (IB) hfi1 driver, specifically related to the handling of SDMA (System Direct Memory Access) transmit descriptors in the ipoib (IP over InfiniBand) subsystem. The vulnerability arises from an off-by-one error introduced in commit fd8958efe877, which causes an overflow of the 'descs' array within the ipoib_txreq structure when an SDMA send operation involves exactly six descriptors and requires dword padding in a seventh descriptor. This improper handling leads to a buffer overflow into adjacent memory within the container structure, corrupting data and causing kernel panics or crashes during send completion. The issue is reproducible via the sendmsg system call, which triggers the transmission process. Kernel logs indicate a general protection fault due to an invalid pointer dereference, with call traces pointing to the hfi1_ipoib_send_dma_common and related functions. The root cause is the incorrect calculation of the descriptor array size in the _pad_sdma_tx_descs() function, which fails to properly expand the array when padding is needed. The fix involves correcting this expression to ensure the descriptor array is adequately sized, preventing overflow and stabilizing the system. This vulnerability affects multiple recent Linux kernel versions identified by specific commit hashes and is relevant to systems utilizing InfiniBand networking with the hfi1 driver. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, especially those operating in high-performance computing (HPC), research institutions, data centers, and enterprises relying on InfiniBand networking for low-latency, high-throughput communication, this vulnerability poses a risk of system instability and denial of service (DoS). The kernel panic and crashes triggered by this flaw can disrupt critical applications, leading to downtime and potential data loss. While the vulnerability does not directly indicate privilege escalation or remote code execution, the resulting instability can impact availability and operational continuity. Organizations using Linux kernels with the affected hfi1 driver versions are at risk if they utilize the sendmsg system call in contexts involving SDMA transmissions with specific descriptor counts. Given the specialized nature of InfiniBand hardware, the impact is more pronounced in sectors with advanced networking infrastructure. European entities in scientific research, financial services, and telecommunications that deploy InfiniBand are particularly susceptible. Additionally, the instability could indirectly affect multi-tenant cloud environments or service providers hosting HPC workloads, potentially impacting European customers and services.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately identify Linux systems running affected kernel versions with the hfi1 InfiniBand driver enabled, focusing on those utilizing ipoib and SDMA features. 2) Apply the official Linux kernel patches that correct the _pad_sdma_tx_descs() function to properly size the descriptor array, ensuring the fix is backported to stable kernel releases if necessary. 3) Where patching is delayed, consider temporarily disabling InfiniBand ipoib networking or restricting the use of sendmsg calls that trigger SDMA transmissions with six descriptors and padding, if feasible. 4) Monitor kernel logs for signs of general protection faults or crashes related to hfi1_ipoib functions to detect exploitation attempts or instability. 5) Implement rigorous testing of kernel updates in staging environments to validate stability before production deployment. 6) Engage with hardware vendors and Linux distribution maintainers to receive timely updates and advisories. 7) Educate system administrators about the specific conditions triggering the vulnerability to avoid inadvertent triggering during routine operations. These steps go beyond generic advice by focusing on the specific driver, function, and usage patterns involved in the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.173Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdda71
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:27:04 AM
Last updated: 7/31/2025, 2:38:43 AM
Views: 12
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.