CVE-2024-35855: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrumacltcam: Fix possible use-after-free during activity update
The Linux kernel CVE team has assigned CVE-2024-35855 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051741-CVE-2024-35855-c1fb@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrumacltcam: Fix possible use-after-free during activity update
The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device.
As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1].
Fix by closing the race and perform the activity query under the 'vregion->lock' mutex.
[1] BUG: KASAN: slab-use-after-free in mlxswspacltcamflowerruleactivityget+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181
CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxswcore mlxswspaclruleactivityupdatework Call Trace: dumpstacklvl+0xc6/0x120 printreport+0xce/0x670 kasanreport+0xd7/0x110 mlxswspacltcamflowerruleactivityget+0x121/0x140 mlxswspaclruleactivityupdatework+0x219/0x400 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
Allocated by task 1039: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasankmalloc+0x8f/0xa0 kmalloc+0x19c/0x360 mlxswspacltcamentrycreate+0x7b/0x1f0 mlxswspacltcamvchunkmigrateall+0x30d/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
Freed by task 1039: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 poisonslabobject+0x102/0x170 kasanslabfree+0x14/0x30 kfree+0xc1/0x290 mlxswspacltcamvchunkmigrateall+0x3d7/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
— IBM
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrumacltcam: Fix possible use-after-free during activity update
The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device.
As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1].
Fix by closing the race and perform the activity query under the 'vregion->lock' mutex.
[1] BUG: KASAN: slab-use-after-free in mlxswspacltcamflowerruleactivityget+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181
CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxswcore mlxswspaclruleactivityupdatework Call Trace: <TASK> dumpstacklvl+0xc6/0x120 printreport+0xce/0x670 kasanreport+0xd7/0x110 mlxswspacltcamflowerruleactivityget+0x121/0x140 mlxswspaclruleactivityupdatework+0x219/0x400 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30 </TASK>
Allocated by task 1039: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasankmalloc+0x8f/0xa0 kmalloc+0x19c/0x360 mlxswspacltcamentrycreate+0x7b/0x1f0 mlxswspacltcamvchunkmigrateall+0x30d/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
Freed by task 1039: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 poisonslabobject+0x102/0x170 kasanslabfree+0x14/0x30 kfree+0xc1/0x290 mlxswspacltcamvchunkmigrateall+0x3d7/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
— NVD
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-35855?
CVE-2024-35855 is classified as a high severity vulnerability due to the potential use-after-free condition that can lead to arbitrary code execution or system crashes.
How do I fix CVE-2024-35855?
To fix CVE-2024-35855, update the Linux kernel to the latest versions listed in the vulnerability advisory, specifically to versions greater than 5.4.275, 5.10.216, 5.15.158, 6.1.90, 6.6.30, 6.8.9, or 6.9.
What systems are affected by CVE-2024-35855?
CVE-2024-35855 impacts various versions of the Linux kernel, specifically those prior to 5.4.275, 5.10.216, 5.15.158, 6.1.90, 6.6.30, 6.8.9, and 6.9.
Is CVE-2024-35855 a remote or local vulnerability?
CVE-2024-35855 is primarily considered a local vulnerability since it requires authenticated access to exploit the use-after-free condition.
What mitigation strategies are recommended for CVE-2024-35855?
In addition to updating the kernel, users should restrict access to sensitive systems and monitor logs for any unusual activity that may indicate exploitation attempts related to CVE-2024-35855.