CVE-2024-43880

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_acl_erp: Fix object nesting warning<br /> <br /> ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM<br /> (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can<br /> contain more ACLs (i.e., tc filters), but the number of masks in each<br /> region (i.e., tc chain) is limited.<br /> <br /> In order to mitigate the effects of the above limitation, the device<br /> allows filters to share a single mask if their masks only differ in up<br /> to 8 consecutive bits. For example, dst_ip/25 can be represented using<br /> dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the<br /> number of masks being used (and therefore does not support mask<br /> aggregation), but can contain a limited number of filters.<br /> <br /> The driver uses the "objagg" library to perform the mask aggregation by<br /> passing it objects that consist of the filter&amp;#39;s mask and whether the<br /> filter is to be inserted into the A-TCAM or the C-TCAM since filters in<br /> different TCAMs cannot share a mask.<br /> <br /> The set of created objects is dependent on the insertion order of the<br /> filters and is not necessarily optimal. Therefore, the driver will<br /> periodically ask the library to compute a more optimal set ("hints") by<br /> looking at all the existing objects.<br /> <br /> When the library asks the driver whether two objects can be aggregated<br /> the driver only compares the provided masks and ignores the A-TCAM /<br /> C-TCAM indication. This is the right thing to do since the goal is to<br /> move as many filters as possible to the A-TCAM. The driver also forbids<br /> two identical masks from being aggregated since this can only happen if<br /> one was intentionally put in the C-TCAM to avoid a conflict in the<br /> A-TCAM.<br /> <br /> The above can result in the following set of hints:<br /> <br /> H1: {mask X, A-TCAM} -&gt; H2: {mask Y, A-TCAM} // X is Y + delta<br /> H3: {mask Y, C-TCAM} -&gt; H4: {mask Z, A-TCAM} // Y is Z + delta<br /> <br /> After getting the hints from the library the driver will start migrating<br /> filters from one region to another while consulting the computed hints<br /> and instructing the device to perform a lookup in both regions during<br /> the transition.<br /> <br /> Assuming a filter with mask X is being migrated into the A-TCAM in the<br /> new region, the hints lookup will return H1. Since H2 is the parent of<br /> H1, the library will try to find the object associated with it and<br /> create it if necessary in which case another hints lookup (recursive)<br /> will be performed. This hints lookup for {mask Y, A-TCAM} will either<br /> return H2 or H3 since the driver passes the library an object comparison<br /> function that ignores the A-TCAM / C-TCAM indication.<br /> <br /> This can eventually lead to nested objects which are not supported by<br /> the library [1].<br /> <br /> Fix by removing the object comparison function from both the driver and<br /> the library as the driver was the only user. That way the lookup will<br /> only return exact matches.<br /> <br /> I do not have a reliable reproducer that can reproduce the issue in a<br /> timely manner, but before the fix the issue would reproduce in several<br /> minutes and with the fix it does not reproduce in over an hour.<br /> <br /> Note that the current usefulness of the hints is limited because they<br /> include the C-TCAM indication and represent aggregation that cannot<br /> actually happen. This will be addressed in net-next.<br /> <br /> [1]<br /> WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0<br /> Modules linked in:<br /> CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42<br /> Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018<br /> Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work<br /> RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0<br /> [...]<br /> Call Trace:<br /> <br /> __objagg_obj_get+0x2bb/0x580<br /> objagg_obj_get+0xe/0x80<br /> mlxsw_sp_acl_erp_mask_get+0xb5/0xf0<br /> mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0<br /> mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0<br /> mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270<br /> mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510<br /> process_one_work+0x151/0x370