CVE-2024-50252

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address<br /> <br /> The device stores IPv6 addresses that are used for encapsulation in<br /> linear memory that is managed by the driver.<br /> <br /> Changing the remote address of an ip6gre net device never worked<br /> properly, but since cited commit the following reproducer [1] would<br /> result in a warning [2] and a memory leak [3]. The problem is that the<br /> new remote address is never added by the driver to its hash table (and<br /> therefore the device) and the old address is never removed from it.<br /> <br /> Fix by programming the new address when the configuration of the ip6gre<br /> net device changes and removing the old one. If the address did not<br /> change, then the above would result in increasing the reference count of<br /> the address and then decreasing it.<br /> <br /> [1]<br /> # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit<br /> # ip link set dev bla type ip6gre remote 2001:db8:3::1<br /> # ip link del dev bla<br /> # devlink dev reload pci/0000:01:00.0<br /> <br /> [2]<br /> WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151<br /> Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023<br /> RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0<br /> [...]<br /> Call Trace:<br /> <br /> mlxsw_sp_router_netdevice_event+0x55f/0x1240<br /> notifier_call_chain+0x5a/0xd0<br /> call_netdevice_notifiers_info+0x39/0x90<br /> unregister_netdevice_many_notify+0x63e/0x9d0<br /> rtnl_dellink+0x16b/0x3a0<br /> rtnetlink_rcv_msg+0x142/0x3f0<br /> netlink_rcv_skb+0x50/0x100<br /> netlink_unicast+0x242/0x390<br /> netlink_sendmsg+0x1de/0x420<br /> ____sys_sendmsg+0x2bd/0x320<br /> ___sys_sendmsg+0x9a/0xe0<br /> __sys_sendmsg+0x7a/0xd0<br /> do_syscall_64+0x9e/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> [3]<br /> unreferenced object 0xffff898081f597a0 (size 32):<br /> comm "ip", pid 1626, jiffies 4294719324<br /> hex dump (first 32 bytes):<br /> 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ...............<br /> 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia.............<br /> backtrace (crc fd9be911):<br /> [] __kmalloc_cache_noprof+0x1da/0x260<br /> [] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340<br /> [] mlxsw_sp_router_netdevice_event+0x47b/0x1240<br /> [] notifier_call_chain+0x5a/0xd0<br /> [] call_netdevice_notifiers_info+0x39/0x90<br /> [] register_netdevice+0x5f7/0x7a0<br /> [] ip6gre_newlink_common.isra.0+0x65/0x130<br /> [] ip6gre_newlink+0x72/0x120<br /> [] rtnl_newlink+0x471/0xa20<br /> [] rtnetlink_rcv_msg+0x142/0x3f0<br /> [] netlink_rcv_skb+0x50/0x100<br /> [] netlink_unicast+0x242/0x390<br /> [] netlink_sendmsg+0x1de/0x420<br /> [] ____sys_sendmsg+0x2bd/0x320<br /> [] ___sys_sendmsg+0x9a/0xe0<br /> [] __sys_sendmsg+0x7a/0xd0