Bug 2301507 (CVE-2024-42142)

Summary: CVE-2024-42142 kernel: net/mlx5: E-switch, Create ingress ACL when needed
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.1.98, kernel 6.6.39, kernel 6.9.9, kernel 6.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's ethernet mlx5 driver where improper ingress ACL creation means that when the vport metadata match or prio tag are disabled the ingress ACL is not created. Since the active-backup LAG mode also relies on the ingress ACL but is not tied to the vport metadata match or prio tag, attempting to add a drop rule could result in a kernel panic and lead to system instability or crashes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2302002    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-30 08:37:59 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: E-switch, Create ingress ACL when needed

Currently, ingress acl is used for three features. It is created only
when vport metadata match and prio tag are enabled. But active-backup
lag mode also uses it. It is independent of vport metadata match and
prio tag. And vport metadata match can be disabled using the
following devlink command:

 # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \
	value false cmode runtime

If ingress acl is not created, will hit panic when creating drop rule
for active-backup lag mode. If always create it, there will be about
5% performance degradation.

Fix it by creating ingress acl when needed. If esw_port_metadata is
true, ingress acl exists, then create drop rule using existing
ingress acl. If esw_port_metadata is false, create ingress acl and
then create drop rule.
Comment 1 Mauro Matteo Cascella 2024-07-31 10:33:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024073031-CVE-2024-42142-a3a2@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-07-31 10:33:35 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2302002]