cve/published/2024/CVE-2024-35853.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35853: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

 The rehash delayed work migrates filters from one region to another.
 This is done by iterating over all chunks (all the filters with the same
 priority) in the region and in each chunk iterating over all the
 filters.

 If the migration fails, the code tries to migrate the filters back to
 the old region. However, the rollback itself can also fail in which case
 another migration will be erroneously performed. Besides the fact that
 this ping pong is not a very good idea, it also creates a problem.

 Each virtual chunk references two chunks: The currently used one
 ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the
 first holds the chunk we want to migrate filters to and the second holds
 the chunk we are migrating filters from.

 The code currently assumes - but does not verify - that the backup chunk
 does not exist (NULL) if the currently used chunk does not reference the
 target region. This assumption breaks when we are trying to rollback a
 rollback, resulting in the backup chunk being overwritten and leaked
 [1].

 Fix by not rolling back a failed rollback and add a warning to avoid
 future cases.

 [1]
 WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20
 Modules linked in:
 CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G        W          6.9.0-rc2-custom-00784-gc6a05c468a0b #14
 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
 RIP: 0010:parman_destroy+0x17/0x20
 [...]
 Call Trace:
  <TASK>
  mlxsw_sp_acl_atcam_region_fini+0x19/0x60
  mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0
  mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470
  process_one_work+0x151/0x370
  worker_thread+0x2cb/0x3e0
  kthread+0xd0/0x100
  ret_from_fork+0x34/0x50
  ret_from_fork_asm+0x1a/0x30
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-35853 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.4.275 with commit c6f3fa7f5a748bf6e5c4eb742686d6952f854e76
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.10.216 with commit 617e98ba4c50f4547c9eb0946b1cfc26937d70d1
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.15.158 with commit 413a01886c3958d4b8aac23a3bff3d430b92093e
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.1.90 with commit b822644fd90992ee362c5e0c8d2556efc8856c76
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.6.30 with commit 0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.8.9 with commit b3fd51f684a0711504f82de510da109ae639722d
 	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.9 with commit 8ca3f7a7b61393804c46f170743c3b839df13977

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35853
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76
 	https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1
 	https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e
 	https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76
 	https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf
 	https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d
 	https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35853: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

	The rehash delayed work migrates filters from one region to another.
	This is done by iterating over all chunks (all the filters with the same
	priority) in the region and in each chunk iterating over all the
	filters.

	If the migration fails, the code tries to migrate the filters back to
	the old region. However, the rollback itself can also fail in which case
	another migration will be erroneously performed. Besides the fact that
	this ping pong is not a very good idea, it also creates a problem.

	Each virtual chunk references two chunks: The currently used one
	('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the
	first holds the chunk we want to migrate filters to and the second holds
	the chunk we are migrating filters from.

	The code currently assumes - but does not verify - that the backup chunk
	does not exist (NULL) if the currently used chunk does not reference the
	target region. This assumption breaks when we are trying to rollback a
	rollback, resulting in the backup chunk being overwritten and leaked
	[1].

	Fix by not rolling back a failed rollback and add a warning to avoid
	future cases.

	[1]
	WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20
	Modules linked in:
	CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14
	Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
	Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
	RIP: 0010:parman_destroy+0x17/0x20
	[...]
	Call Trace:
	<TASK>
	mlxsw_sp_acl_atcam_region_fini+0x19/0x60
	mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0
	mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470
	process_one_work+0x151/0x370
	worker_thread+0x2cb/0x3e0
	kthread+0xd0/0x100
	ret_from_fork+0x34/0x50
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-35853 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.4.275 with commit c6f3fa7f5a748bf6e5c4eb742686d6952f854e76
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.10.216 with commit 617e98ba4c50f4547c9eb0946b1cfc26937d70d1
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 5.15.158 with commit 413a01886c3958d4b8aac23a3bff3d430b92093e
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.1.90 with commit b822644fd90992ee362c5e0c8d2556efc8856c76
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.6.30 with commit 0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.8.9 with commit b3fd51f684a0711504f82de510da109ae639722d
	Issue introduced in 5.1 with commit 843500518509128a935edab96bd8efef7c54669e and fixed in 6.9 with commit 8ca3f7a7b61393804c46f170743c3b839df13977

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35853
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76
	https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1
	https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e
	https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76
	https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf
	https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d
	https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977