{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26766","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.173Z","datePublished":"2024-04-03T17:00:48.642Z","dateUpdated":"2026-05-11T20:03:45.559Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:03:45.559Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990]  <TASK>\n[ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978]  dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347]  __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n  txreq = {\n    list = {\n      next = 0xffff9cfeba229f00,\n      prev = 0xffff9cfeba229f00\n    },\n    descp = 0xffff9cfeba229f40,\n    coalesce_buf = 0x0,\n    wait = 0xffff9cfea4e69a48,\n    complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,\n    packet_len = 0x46d,\n    tlen = 0x0,\n    num_desc = 0x0,\n    desc_limit = 0x6,\n    next_descq_idx = 0x45c,\n    coalesce_idx = 0x0,\n    flags = 0x0,\n    descs = {{\n        qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n      }, {\n        qw = {  0x3800014231b108, 0x4}\n      }, {\n        qw = { 0x310000e4ee0fcf0, 0x8}\n      }, {\n        qw = {  0x3000012e9f8000, 0x8}\n      }, {\n        qw = {  0x59000dfb9d0000, 0x8}\n      }, {\n        qw = {  0x78000e02e40000, 0x8}\n      }}\n  },\n  sdma_hdr =  0x400300015528b000,  <<< invalid pointer in the tx request structure\n  sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n  complete = 0x0,\n  priv = 0x0,\n  txq = 0xffff9cfea4e69880,\n  skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/hfi1/sdma.c"],"versions":[{"version":"d1c1ee052d25ca23735eea912f843bc7834781b4","lessThan":"115b7f3bc1dce590a6851a2dcf23dc1100c49790","status":"affected","versionType":"git"},{"version":"40ac5cb6cbb01afa40881f78b4d2f559fb7065c4","lessThan":"5833024a9856f454a964a198c63a57e59e07baf5","status":"affected","versionType":"git"},{"version":"6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179","lessThan":"3f38d22e645e2e994979426ea5a35186102ff3c2","status":"affected","versionType":"git"},{"version":"bd57756a7e43c7127d0eca1fc5868e705fd0f7ba","lessThan":"47ae64df23ed1318e27bd9844e135a5e1c0e6e39","status":"affected","versionType":"git"},{"version":"eeaf35f4e3b360162081de5e744cf32d6d1b0091","lessThan":"52dc9a7a573dbf778625a0efca0fca55489f084b","status":"affected","versionType":"git"},{"version":"fd8958efe8779d3db19c9124fce593ce681ac709","lessThan":"a2fef1d81becf4ff60e1a249477464eae3c3bc2a","status":"affected","versionType":"git"},{"version":"fd8958efe8779d3db19c9124fce593ce681ac709","lessThan":"9034a1bec35e9f725315a3bb6002ef39666114d9","status":"affected","versionType":"git"},{"version":"fd8958efe8779d3db19c9124fce593ce681ac709","lessThan":"e6f57c6881916df39db7d95981a8ad2b9c3458d6","status":"affected","versionType":"git"},{"version":"0ef9594936d1f078e8599a1cf683b052df2bec00","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/hfi1/sdma.c"],"versions":[{"version":"6.3","status":"affected"},{"version":"0","lessThan":"6.3","status":"unaffected","versionType":"semver"},{"version":"4.19.308","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.270","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.211","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.150","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.80","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.19","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.7","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.291","versionEndExcluding":"4.19.308"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.251","versionEndExcluding":"5.4.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.188","versionEndExcluding":"5.10.211"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.99","versionEndExcluding":"5.15.150"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.16","versionEndExcluding":"6.1.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.7.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790"},{"url":"https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5"},{"url":"https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2"},{"url":"https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39"},{"url":"https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b"},{"url":"https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a"},{"url":"https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9"},{"url":"https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6"}],"title":"IB/hfi1: Fix sdma.h tx->num_descs off-by-one error","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26766","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-03T18:11:09.801717Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:48:44.178Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:13.309Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","tags":["x_transferred"]}]}]},"dataVersion":"5.2"}