2265799 – (CVE-2024-26595) CVE-2024-26595 kernel: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path

Bug 2265799 (CVE-2024-26595) - CVE-2024-26595 kernel: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path

Summary: CVE-2024-26595 kernel: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference...

Keywords:
Status:	NEW
Alias:	CVE-2024-26595
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2265811
Blocks:	2265790
TreeView+	depends on / blocked

Reported:	2024-02-24 11:20 UTC by Patrick Del Bello
Modified:	2024-04-07 15:17 UTC (History)
CC List:	49 users (show)
Fixed In Version:	kernel 6.8-rc1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-02-24 11:20:25 UTC

When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after
failing to attach the region to an ACL group, we hit a NULL pointer
dereference upon 'region->group->tcam' [1].

Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().

[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0
[...]
Call Trace:
 mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20
 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0
 mlxsw_sp_acl_rule_add+0x47/0x240
 mlxsw_sp_flower_replace+0x1a9/0x1d0
 tc_setup_cb_add+0xdc/0x1c0
 fl_hw_replace_filter+0x146/0x1f0
 fl_change+0xc17/0x1360
 tc_new_tfilter+0x472/0xb90
 rtnetlink_rcv_msg+0x313/0x3b0
 netlink_rcv_skb+0x58/0x100
 netlink_unicast+0x244/0x390
 netlink_sendmsg+0x1e4/0x440
 ____sys_sendmsg+0x164/0x260
 ___sys_sendmsg+0x9a/0xe0
 __sys_sendmsg+0x7a/0xc0
 do_syscall_64+0x40/0xe0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Comment 1 Patrick Del Bello 2024-02-24 11:25:46 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265811]

Comment 3 Justin M. Forbes 2024-02-27 00:02:19 UTC

	Issue introduced in 4.11 with commit 22a677661f56 and fixed in 6.6.14 with commit 817840d125a3
	Issue introduced in 4.11 with commit 22a677661f56 and fixed in 6.7.2 with commit d0a1efe417c9
	Issue introduced in 4.11 with commit 22a677661f56 and fixed in 6.8-rc1 with commit efeb7dfea8ee

Comment 4 Justin M. Forbes 2024-02-27 00:02:50 UTC

This was fixed for Fedora with the 6.6.14 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
aquini
bhu
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
esandeen
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lzampier
mleitner
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
sukulkar
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang