6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved: mlxsw:
spectrum_acl_tcam: Fix stack corruption When tc filters are first added to
a net device, the corresponding local port gets bound to an ACL group in
the device. The group contains a list of ACLs. In turn, each ACL points to
a different TCAM region where the filters are stored. During forwarding,
the ACLs are sequentially evaluated until a match is found. One reason to
place filters in different regions is when they are added with decreasing
priorities and in an alternating order so that two consecutive filters can
never fit in the same region because of their key usage. In Spectrum-2 and
newer ASICs the firmware started to report that the maximum number of ACLs
in a group is more than 16, but the layout of the register that configures
ACL groups (PAGT) was not updated to account for that. It is therefore
possible to hit stack corruption [1] in the rare case where more than 16
ACLs in a group are required. Fix by limiting the maximum ACL group size to
the minimum between what the firmware reports and the maximum ACLs that fit
in the PAGT register. Add a test case to make sure the machine does not
crash when this condition is hit. [1] Kernel panic - not syncing:
stack-protector: Kernel stack is corrupted in:
mlxsw_sp_acl_tcam_group_update+0x116/0x120 […] dump_stack_lvl+0x36/0x50
panic+0x305/0x330 __stack_chk_fail+0x15/0x20
mlxsw_sp_acl_tcam_group_update+0x116/0x120
mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110
mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20
mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240
mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0
fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360
tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0
netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390
netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260
___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-102.112 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1057.63 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1057.63~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1060.69 | UNKNOWN |
git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62
git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15
git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706
git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182
git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383
launchpad.net/bugs/cve/CVE-2024-26586
nvd.nist.gov/vuln/detail/CVE-2024-26586
security-tracker.debian.org/tracker/CVE-2024-26586
ubuntu.com/security/notices/USN-6725-1
ubuntu.com/security/notices/USN-6725-2
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2024-26586
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%