cve/published/2024/CVE-2024-35852.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35852: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

 The rehash delayed work is rescheduled with a delay if the number of
 credits at end of the work is not negative as supposedly it means that
 the migration ended. Otherwise, it is rescheduled immediately.

 After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during
 rehash" the above is no longer accurate as a non-negative number of
 credits is no longer indicative of the migration being done. It can also
 happen if the work encountered an error in which case the migration will
 resume the next time the work is scheduled.

 The significance of the above is that it is possible for the work to be
 pending and associated with hints that were allocated when the migration
 started. This leads to the hints being leaked [1] when the work is
 canceled while pending as part of ACL region dismantle.

 Fix by freeing the hints if hints are associated with a work that was
 canceled while pending.

 Blame the original commit since the reliance on not having a pending
 work associated with hints is fragile.

 [1]
 unreferenced object 0xffff88810e7c3000 (size 256):
   comm "kworker/0:16", pid 176, jiffies 4295460353
   hex dump (first 32 bytes):
     00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80  .0......a.......
     00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00  ..a.@...........
   backtrace (crc 2544ddb9):
     [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0
     [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390
     [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400
     [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160
     [<00000000e81fd734>] process_one_work+0x59c/0xf20
     [<00000000ceee9e81>] worker_thread+0x799/0x12c0
     [<00000000bda6fe39>] kthread+0x246/0x300
     [<0000000070056d23>] ret_from_fork+0x34/0x70
     [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30

 The Linux kernel CVE team has assigned CVE-2024-35852 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.4.275 with commit 51cefc9da400b953fee749c9e5d26cd4a2b5d758
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.10.216 with commit 857ed800133ffcfcee28582090b63b0cbb8ba59d
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.15.158 with commit 63d814d93c5cce4c18284adc810028f28dca493f
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.1.90 with commit 5bfe7bf9656ed2633718388f12b7c38b86414a04
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.6.30 with commit de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.8.9 with commit d72dd6fcd7886d0523afbab8b4a4b22d17addd7d
 	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.9 with commit fb4e2b70a7194b209fc7320bbf33b375f7114bd5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35852
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758
 	https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d
 	https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f
 	https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04
 	https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab
 	https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d
 	https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35852: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

	The rehash delayed work is rescheduled with a delay if the number of
	credits at end of the work is not negative as supposedly it means that
	the migration ended. Otherwise, it is rescheduled immediately.

	After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during
	rehash" the above is no longer accurate as a non-negative number of
	credits is no longer indicative of the migration being done. It can also
	happen if the work encountered an error in which case the migration will
	resume the next time the work is scheduled.

	The significance of the above is that it is possible for the work to be
	pending and associated with hints that were allocated when the migration
	started. This leads to the hints being leaked [1] when the work is
	canceled while pending as part of ACL region dismantle.

	Fix by freeing the hints if hints are associated with a work that was
	canceled while pending.

	Blame the original commit since the reliance on not having a pending
	work associated with hints is fragile.

	[1]
	unreferenced object 0xffff88810e7c3000 (size 256):
	comm "kworker/0:16", pid 176, jiffies 4295460353
	hex dump (first 32 bytes):
	00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......
	00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........
	backtrace (crc 2544ddb9):
	[<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0
	[<000000004d9a1ad9>] objagg_hints_get+0x42/0x390
	[<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400
	[<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160
	[<00000000e81fd734>] process_one_work+0x59c/0xf20
	[<00000000ceee9e81>] worker_thread+0x799/0x12c0
	[<00000000bda6fe39>] kthread+0x246/0x300
	[<0000000070056d23>] ret_from_fork+0x34/0x70
	[<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30

	The Linux kernel CVE team has assigned CVE-2024-35852 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.4.275 with commit 51cefc9da400b953fee749c9e5d26cd4a2b5d758
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.10.216 with commit 857ed800133ffcfcee28582090b63b0cbb8ba59d
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 5.15.158 with commit 63d814d93c5cce4c18284adc810028f28dca493f
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.1.90 with commit 5bfe7bf9656ed2633718388f12b7c38b86414a04
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.6.30 with commit de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.8.9 with commit d72dd6fcd7886d0523afbab8b4a4b22d17addd7d
	Issue introduced in 5.1 with commit c9c9af91f1d9a636aecc55302c792538e549a430 and fixed in 6.9 with commit fb4e2b70a7194b209fc7320bbf33b375f7114bd5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35852
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758
	https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d
	https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f
	https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04
	https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab
	https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d
	https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5