CVE-2024-42073
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
29/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems<br />
<br />
The following two shared buffer operations make use of the Shared Buffer<br />
Status Register (SBSR):<br />
<br />
# devlink sb occupancy snapshot pci/0000:01:00.0<br />
# devlink sb occupancy clearmax pci/0000:01:00.0<br />
<br />
The register has two masks of 256 bits to denote on which ingress /<br />
egress ports the register should operate on. Spectrum-4 has more than<br />
256 ports, so the register was extended by cited commit with a new<br />
&#39;port_page&#39; field.<br />
<br />
However, when filling the register&#39;s payload, the driver specifies the<br />
ports as absolute numbers and not relative to the first port of the port<br />
page, resulting in memory corruptions [1].<br />
<br />
Fix by specifying the ports relative to the first port of the port page.<br />
<br />
[1]<br />
BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0<br />
Read of size 1 at addr ffff8881068cb00f by task devlink/1566<br />
[...]<br />
Call Trace:<br />
<br />
dump_stack_lvl+0xc6/0x120<br />
print_report+0xce/0x670<br />
kasan_report+0xd7/0x110<br />
mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0<br />
mlxsw_devlink_sb_occ_snapshot+0x75/0xb0<br />
devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0<br />
genl_family_rcv_msg_doit+0x20c/0x300<br />
genl_rcv_msg+0x567/0x800<br />
netlink_rcv_skb+0x170/0x450<br />
genl_rcv+0x2d/0x40<br />
netlink_unicast+0x547/0x830<br />
netlink_sendmsg+0x8d4/0xdb0<br />
__sys_sendto+0x49b/0x510<br />
__x64_sys_sendto+0xe5/0x1c0<br />
do_syscall_64+0xc1/0x1d0<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
[...]<br />
Allocated by task 1:<br />
kasan_save_stack+0x33/0x60<br />
kasan_save_track+0x14/0x30<br />
__kasan_kmalloc+0x8f/0xa0<br />
copy_verifier_state+0xbc2/0xfb0<br />
do_check_common+0x2c51/0xc7e0<br />
bpf_check+0x5107/0x9960<br />
bpf_prog_load+0xf0e/0x2690<br />
__sys_bpf+0x1a61/0x49d0<br />
__x64_sys_bpf+0x7d/0xc0<br />
do_syscall_64+0xc1/0x1d0<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 1:<br />
kasan_save_stack+0x33/0x60<br />
kasan_save_track+0x14/0x30<br />
kasan_save_free_info+0x3b/0x60<br />
poison_slab_object+0x109/0x170<br />
__kasan_slab_free+0x14/0x30<br />
kfree+0xca/0x2b0<br />
free_verifier_state+0xce/0x270<br />
do_check_common+0x4828/0xc7e0<br />
bpf_check+0x5107/0x9960<br />
bpf_prog_load+0xf0e/0x2690<br />
__sys_bpf+0x1a61/0x49d0<br />
__x64_sys_bpf+0x7d/0xc0<br />
do_syscall_64+0xc1/0x1d0<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.1.97 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.37 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.8 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36
- https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a
- https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e
- https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13
- https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36
- https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a
- https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e
- https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html