| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-42142: net/mlx5: E-switch, Create ingress ACL when needed |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| net/mlx5: E-switch, Create ingress ACL when needed |
| |
| Currently, ingress acl is used for three features. It is created only |
| when vport metadata match and prio tag are enabled. But active-backup |
| lag mode also uses it. It is independent of vport metadata match and |
| prio tag. And vport metadata match can be disabled using the |
| following devlink command: |
| |
| # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \ |
| value false cmode runtime |
| |
| If ingress acl is not created, will hit panic when creating drop rule |
| for active-backup lag mode. If always create it, there will be about |
| 5% performance degradation. |
| |
| Fix it by creating ingress acl when needed. If esw_port_metadata is |
| true, ingress acl exists, then create drop rule using existing |
| ingress acl. If esw_port_metadata is false, create ingress acl and |
| then create drop rule. |
| |
| The Linux kernel CVE team has assigned CVE-2024-42142 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.18 with commit 1749c4c51c16e3e078faae0a876d01bafb187a74 and fixed in 6.1.98 with commit bc3ff8d3c05044de57865ebbb78cca8f7da3e595 |
| Issue introduced in 5.18 with commit 1749c4c51c16e3e078faae0a876d01bafb187a74 and fixed in 6.6.39 with commit 3e3551f8702978cd2221d2614ca6d6727e785324 |
| Issue introduced in 5.18 with commit 1749c4c51c16e3e078faae0a876d01bafb187a74 and fixed in 6.9.9 with commit 83bc1a129f7fd0d7d05036ceb7ee69102624e320 |
| Issue introduced in 5.18 with commit 1749c4c51c16e3e078faae0a876d01bafb187a74 and fixed in 6.10 with commit b20c2fb45470d0c7a603613c9cfa5d45720e17f2 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-42142 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595 |
| https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324 |
| https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320 |
| https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2 |
