CVE-2024-26586
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
22/02/2024
Last modified:
05/11/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mlxsw: spectrum_acl_tcam: Fix stack corruption<br />
<br />
When tc filters are first added to a net device, the corresponding local<br />
port gets bound to an ACL group in the device. The group contains a list<br />
of ACLs. In turn, each ACL points to a different TCAM region where the<br />
filters are stored. During forwarding, the ACLs are sequentially<br />
evaluated until a match is found.<br />
<br />
One reason to place filters in different regions is when they are added<br />
with decreasing priorities and in an alternating order so that two<br />
consecutive filters can never fit in the same region because of their<br />
key usage.<br />
<br />
In Spectrum-2 and newer ASICs the firmware started to report that the<br />
maximum number of ACLs in a group is more than 16, but the layout of the<br />
register that configures ACL groups (PAGT) was not updated to account<br />
for that. It is therefore possible to hit stack corruption [1] in the<br />
rare case where more than 16 ACLs in a group are required.<br />
<br />
Fix by limiting the maximum ACL group size to the minimum between what<br />
the firmware reports and the maximum ACLs that fit in the PAGT register.<br />
<br />
Add a test case to make sure the machine does not crash when this<br />
condition is hit.<br />
<br />
[1]<br />
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120<br />
[...]<br />
dump_stack_lvl+0x36/0x50<br />
panic+0x305/0x330<br />
__stack_chk_fail+0x15/0x20<br />
mlxsw_sp_acl_tcam_group_update+0x116/0x120<br />
mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110<br />
mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20<br />
mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0<br />
mlxsw_sp_acl_rule_add+0x47/0x240<br />
mlxsw_sp_flower_replace+0x1a9/0x1d0<br />
tc_setup_cb_add+0xdc/0x1c0<br />
fl_hw_replace_filter+0x146/0x1f0<br />
fl_change+0xc17/0x1360<br />
tc_new_tfilter+0x472/0xb90<br />
rtnetlink_rcv_msg+0x313/0x3b0<br />
netlink_rcv_skb+0x58/0x100<br />
netlink_unicast+0x244/0x390<br />
netlink_sendmsg+0x1e4/0x440<br />
____sys_sendmsg+0x164/0x260<br />
___sys_sendmsg+0x9a/0xe0<br />
__sys_sendmsg+0x7a/0xc0<br />
do_syscall_64+0x40/0xe0<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Impact
Base Score 3.x
6.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.0 (including) | 5.10.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11.0 (including) | 5.15.148 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16.0 (including) | 6.1.79 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.6.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7.0 (including) | 6.7.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62
- https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15
- https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706
- https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182
- https://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819
- https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383