Bug 2265645 (CVE-2024-26586) - CVE-2024-26586 kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption
Summary: CVE-2024-26586 kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption
Keywords:
Status: NEW
Alias: CVE-2024-26586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2265665
Blocks: 2265643
TreeView+ depends on / blocked
 
Reported: 2024-02-23 13:45 UTC by Patrick Del Bello
Modified: 2024-06-17 12:35 UTC (History)
49 users (show)

Fixed In Version: kernel 6.8-rc1, kernel 6.7.2, kernel 6.6.14, kernel 5.15.148, kernel 5.10.209, kernel 5.4.268
Doc Type: If docs needed, set a value
Doc Text:
A kernel stack flaw that corrupted the Linux kernel’s Mellanox Technologies Spectrum Ethernet driver was found when a user initialized more than 16 access control lists (ACLs). This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:35 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:24 UTC
Red Hat Product Errata RHBA-2024:2680 0 None None None 2024-05-02 16:01:41 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:29 UTC
Red Hat Product Errata RHSA-2024:1881 0 None None None 2024-04-18 02:28:20 UTC
Red Hat Product Errata RHSA-2024:1882 0 None None None 2024-04-18 01:47:11 UTC
Red Hat Product Errata RHSA-2024:2006 0 None None None 2024-04-23 16:39:53 UTC
Red Hat Product Errata RHSA-2024:2008 0 None None None 2024-04-23 16:28:21 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:16:05 UTC
Red Hat Product Errata RHSA-2024:2582 0 None None None 2024-04-30 14:59:51 UTC
Red Hat Product Errata RHSA-2024:2585 0 None None None 2024-04-30 14:46:03 UTC
Red Hat Product Errata RHSA-2024:2674 0 None None None 2024-05-02 11:56:53 UTC
Red Hat Product Errata RHSA-2024:3414 0 None None None 2024-05-28 14:05:22 UTC
Red Hat Product Errata RHSA-2024:3421 0 None None None 2024-05-28 14:07:04 UTC
Red Hat Product Errata RHSA-2024:3810 0 None None None 2024-06-11 17:27:15 UTC

Description Patrick Del Bello 2024-02-23 13:45:11 UTC
In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_acl_tcam: Fix stack corruption

When tc filters are first added to a net device, the corresponding local
port gets bound to an ACL group in the device. The group contains a list
of ACLs. In turn, each ACL points to a different TCAM region where the
filters are stored. During forwarding, the ACLs are sequentially
evaluated until a match is found.

One reason to place filters in different regions is when they are added
with decreasing priorities and in an alternating order so that two
consecutive filters can never fit in the same region because of their
key usage.

In Spectrum-2 and newer ASICs the firmware started to report that the
maximum number of ACLs in a group is more than 16, but the layout of the
register that configures ACL groups (PAGT) was not updated to account
for that. It is therefore possible to hit stack corruption [1] in the
rare case where more than 16 ACLs in a group are required.

Fix by limiting the maximum ACL group size to the minimum between what
the firmware reports and the maximum ACLs that fit in the PAGT register.

Add a test case to make sure the machine does not crash when this
condition is hit.

[1]
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120
[...]
 dump_stack_lvl+0x36/0x50
 panic+0x305/0x330
 __stack_chk_fail+0x15/0x20
 mlxsw_sp_acl_tcam_group_update+0x116/0x120
 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110
 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20
 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0
 mlxsw_sp_acl_rule_add+0x47/0x240
 mlxsw_sp_flower_replace+0x1a9/0x1d0
 tc_setup_cb_add+0xdc/0x1c0
 fl_hw_replace_filter+0x146/0x1f0
 fl_change+0xc17/0x1360
 tc_new_tfilter+0x472/0xb90
 rtnetlink_rcv_msg+0x313/0x3b0
 netlink_rcv_skb+0x58/0x100
 netlink_unicast+0x244/0x390
 netlink_sendmsg+0x1e4/0x440
 ____sys_sendmsg+0x164/0x260
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0x7a/0xc0
 do_syscall_64+0x40/0xe0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Comment 1 Patrick Del Bello 2024-02-23 14:36:08 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265665]

Comment 4 Justin M. Forbes 2024-02-27 00:33:02 UTC
	Issue introduced in 4.19 with commit c3ab435466d5 and fixed in 5.10.209 with commit 56750ea5d154
	Issue introduced in 4.19 with commit c3ab435466d5 and fixed in 5.15.148 with commit 348112522a35
	Issue introduced in 4.19 with commit c3ab435466d5 and fixed in 6.6.14 with commit 2f5e15657404
	Issue introduced in 4.19 with commit c3ab435466d5 and fixed in 6.7.2 with commit a361c2c1da5d
	Issue introduced in 4.19 with commit c3ab435466d5 and fixed in 6.8-rc1 with commit 483ae90d8f97

Comment 5 Justin M. Forbes 2024-02-27 00:33:21 UTC
This was fixed for Fedora with the 6.6.14 stable kernel updates.

Comment 7 errata-xmlrpc 2024-04-18 01:47:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1882 https://access.redhat.com/errata/RHSA-2024:1882

Comment 8 errata-xmlrpc 2024-04-18 02:28:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1881 https://access.redhat.com/errata/RHSA-2024:1881

Comment 9 errata-xmlrpc 2024-04-23 16:28:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008

Comment 10 errata-xmlrpc 2024-04-23 16:39:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006

Comment 12 errata-xmlrpc 2024-04-30 10:16:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 13 errata-xmlrpc 2024-04-30 14:46:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:2585 https://access.redhat.com/errata/RHSA-2024:2585

Comment 14 errata-xmlrpc 2024-04-30 14:59:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:2582 https://access.redhat.com/errata/RHSA-2024:2582

Comment 15 errata-xmlrpc 2024-05-02 11:56:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2674 https://access.redhat.com/errata/RHSA-2024:2674

Comment 17 errata-xmlrpc 2024-05-28 14:05:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414

Comment 18 errata-xmlrpc 2024-05-28 14:07:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421

Comment 19 errata-xmlrpc 2024-06-11 17:27:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3810 https://access.redhat.com/errata/RHSA-2024:3810


Note You need to log in before you can comment on or make changes to this bug.