Executive Summary

This vulnerability exists in the Linux kernel's mvpp2 network driver. The issue arises because the driver programs the RX queue packet offset so that hardware writes received data at a specific memory address offset (dma_addr + MVPP2_SKB_HEADROOM). However, the CPU synchronization currently starts at dma_addr and only covers a certain number of bytes, which results in syncing unused headroom but missing the actual packet tail data.

On systems with non-coherent DMA, this causes the CPU to potentially read stale cache data for the end of the received network frame, leading to incorrect or outdated data being processed.

The fix involves using dma_sync_single_range_for_cpu() with the correct offset (MVPP2_SKB_HEADROOM) to ensure the synchronization covers the entire packet data and header actually written by the hardware.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the CPU to read stale or outdated data from the network packet's tail on non-coherent DMA systems. This means that the data processed by the system may be incorrect or incomplete, potentially leading to network communication errors, data corruption, or unexpected behavior in applications relying on accurate network data.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is related to improper synchronization of RX data in the mvpp2 driver on non-coherent DMA systems, which can cause the CPU to read stale cache contents.

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that uses dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range offset. This change properly synchronizes the Marvell header and packet data written by hardware.

Therefore, the immediate step is to update your Linux kernel to a version that contains this fix.

Useful 0 Not Useful 0