| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-50252: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address |
| |
| The device stores IPv6 addresses that are used for encapsulation in |
| linear memory that is managed by the driver. |
| |
| Changing the remote address of an ip6gre net device never worked |
| properly, but since cited commit the following reproducer [1] would |
| result in a warning [2] and a memory leak [3]. The problem is that the |
| new remote address is never added by the driver to its hash table (and |
| therefore the device) and the old address is never removed from it. |
| |
| Fix by programming the new address when the configuration of the ip6gre |
| net device changes and removing the old one. If the address did not |
| change, then the above would result in increasing the reference count of |
| the address and then decreasing it. |
| |
| [1] |
| # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit |
| # ip link set dev bla type ip6gre remote 2001:db8:3::1 |
| # ip link del dev bla |
| # devlink dev reload pci/0000:01:00.0 |
| |
| [2] |
| WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0 |
| Modules linked in: |
| CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151 |
| Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 |
| RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0 |
| [...] |
| Call Trace: |
| <TASK> |
| mlxsw_sp_router_netdevice_event+0x55f/0x1240 |
| notifier_call_chain+0x5a/0xd0 |
| call_netdevice_notifiers_info+0x39/0x90 |
| unregister_netdevice_many_notify+0x63e/0x9d0 |
| rtnl_dellink+0x16b/0x3a0 |
| rtnetlink_rcv_msg+0x142/0x3f0 |
| netlink_rcv_skb+0x50/0x100 |
| netlink_unicast+0x242/0x390 |
| netlink_sendmsg+0x1de/0x420 |
| ____sys_sendmsg+0x2bd/0x320 |
| ___sys_sendmsg+0x9a/0xe0 |
| __sys_sendmsg+0x7a/0xd0 |
| do_syscall_64+0x9e/0x1a0 |
| entry_SYSCALL_64_after_hwframe+0x77/0x7f |
| |
| [3] |
| unreferenced object 0xffff898081f597a0 (size 32): |
| comm "ip", pid 1626, jiffies 4294719324 |
| hex dump (first 32 bytes): |
| 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ............... |
| 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia............. |
| backtrace (crc fd9be911): |
| [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260 |
| [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340 |
| [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240 |
| [<00000000743e7757>] notifier_call_chain+0x5a/0xd0 |
| [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90 |
| [<000000002509645d>] register_netdevice+0x5f7/0x7a0 |
| [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130 |
| [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120 |
| [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20 |
| [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0 |
| [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100 |
| [<00000000908bca63>] netlink_unicast+0x242/0x390 |
| [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420 |
| [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320 |
| [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0 |
| [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0 |
| |
| The Linux kernel CVE team has assigned CVE-2024-50252 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.17 with commit cf42911523e02026cb56d329e584ae5923e94ba1 and fixed in 6.1.116 with commit d8f298eb6659eb6a38e26b79e77de4449dc6e61b |
| Issue introduced in 5.17 with commit cf42911523e02026cb56d329e584ae5923e94ba1 and fixed in 6.6.60 with commit 31384aa2ad05c29c7745000f321154f42de24d1a |
| Issue introduced in 5.17 with commit cf42911523e02026cb56d329e584ae5923e94ba1 and fixed in 6.11.7 with commit c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942 |
| Issue introduced in 5.17 with commit cf42911523e02026cb56d329e584ae5923e94ba1 and fixed in 6.12 with commit 12ae97c531fcd3bfd774d4dfeaeac23eafe24280 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-50252 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d8f298eb6659eb6a38e26b79e77de4449dc6e61b |
| https://git.kernel.org/stable/c/31384aa2ad05c29c7745000f321154f42de24d1a |
| https://git.kernel.org/stable/c/c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942 |
| https://git.kernel.org/stable/c/12ae97c531fcd3bfd774d4dfeaeac23eafe24280 |
