CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
10.3%
In the Linux kernel, the following vulnerability has been resolved: mlxsw:
spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash
delayed work migrates filters from one region to another according to the
number of available credits. The migrated from region is destroyed at the
end of the work if the number of credits is non-negative as the assumption
is that this is indicative of migration being complete. This assumption is
incorrect as a non-negative number of credits can also be the result of a
failed migration. The destruction of a region that still has filters
referencing it can result in a use-after-free [1]. Fix by not destroying
the region if migration failed. [1] BUG: KASAN: slab-use-after-free in
mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr
ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm:
kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware
name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace:
<TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670
kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70
mlxsw_sp_acl_atcam_entry_del+0x81/0x210
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50
mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by
task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360
mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0
mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7:
kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170
__kasan_slab_free+0x14/0x30 kfree+0xc1/0x290
mlxsw_sp_acl_tcam_region_destroy+0x272/0x310
mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-189.209 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-116.126 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1128.138 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1065.71 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1065.71~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1133.140 | UNKNOWN |
git.kernel.org/linus/54225988889931467a9b55fdbef534079b665519 (6.9-rc6)
git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049
git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121
git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519
git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887
git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1
git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1
git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388
launchpad.net/bugs/cve/CVE-2024-35854
nvd.nist.gov/vuln/detail/CVE-2024-35854
security-tracker.debian.org/tracker/CVE-2024-35854
ubuntu.com/security/notices/USN-6896-1
ubuntu.com/security/notices/USN-6896-2
ubuntu.com/security/notices/USN-6896-3
ubuntu.com/security/notices/USN-6896-4
ubuntu.com/security/notices/USN-6896-5
ubuntu.com/security/notices/USN-6898-1
ubuntu.com/security/notices/USN-6898-2
ubuntu.com/security/notices/USN-6898-3
ubuntu.com/security/notices/USN-6898-4
ubuntu.com/security/notices/USN-6917-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-35854