CVE-2024-42073

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems The following two shared buffer operations make use of the Shared Buffer Status Register (SBSR): # devlink sb occupancy snapshot pci/0000:01:00.0 # devlink sb occupancy clearmax pci/0000:01:00.0 The register has two masks of 256 bits to denote on which ingress / egress ports the register should operate on. Spectrum-4 has more than 256 ports, so the register was extended by cited commit with a new 'port_page' field. However, when filling the register's payload, the driver specifies the ports as absolute numbers and not relative to the first port of the port page, resulting in memory corruptions [1]. Fix by specifying the ports relative to the first port of the port page. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 Read of size 1 at addr ffff8881068cb00f by task devlink/1566 [...] Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 genl_family_rcv_msg_doit+0x20c/0x300 genl_rcv_msg+0x567/0x800 netlink_rcv_skb+0x170/0x450 genl_rcv+0x2d/0x40 netlink_unicast+0x547/0x830 netlink_sendmsg+0x8d4/0xdb0 __sys_sendto+0x49b/0x510 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f [...] Allocated by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 copy_verifier_state+0xbc2/0xfb0 do_check_common+0x2c51/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x109/0x170 __kasan_slab_free+0x14/0x30 kfree+0xca/0x2b0 free_verifier_state+0xce/0x270 do_check_common+0x4828/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:33

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36 - Patch () https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36 - Patch
References () https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a - Patch () https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a - Patch
References () https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e - Patch () https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e - Patch
References () https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13 - Patch () https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13 - Patch

30 Jul 2024, 19:00

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: spectrum_buffers: corrige daños en la memoria en sistemas Spectrum-4 Las siguientes dos operaciones de búfer compartido utilizan el registro de estado del búfer compartido (SBSR): # devlink sb occupancy snapshot pci/0000 :01:00.0 # devlink sb occupancy clearmax pci/0000:01:00.0 El registro tiene dos máscaras de 256 bits para indicar en qué puertos de entrada/salida debe operar el registro. Spectrum-4 tiene más de 256 puertos, por lo que el registro se amplió mediante la confirmación citada con un nuevo campo 'port_page'. Sin embargo, al llenar el payload del registro, el controlador especifica los puertos como números absolutos y no relativos al primer puerto de la página de puertos, lo que provoca daños en la memoria [1]. Corrija especificando los puertos relativos al primer puerto de la página de puertos. [1] ERROR: KASAN: slab-use-after-free en mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 Lectura del tamaño 1 en la dirección ffff8881068cb00f mediante la tarea devlink/1566 [...] Seguimiento de llamadas: dump_stack_lvl+0xc6/0x120 print_report+ 0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0 mlxsw_devlink_sb_occ_snapshot+0x75/0xb0 devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0 genl_family_rcv_ msg_doit+0x20c/0x300 genl_rcv_msg+0x567/0x800 netlink_rcv_skb+0x170/0x450 genl_rcv+0x2d/0x40 netlink_unicast+0x547/0x830 netlink_sendmsg+ 0x8d4/0xdb0 __sys_sendto+0x49b/0x510 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0xc1/0x1d0 Entry_SYSCALL_64_after_hwframe+0x77/0x7f [...] Asignado por tarea 1: kasan_save_stack+0x33/ 0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 copy_verifier_state+ 0xbc2/0xfb0 do_check_common+0x2c51/0xc7e0 bpf_check+0x5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+0x7d/0xc0 _64+0xc1/0x1d0 Entry_SYSCALL_64_after_hwframe+0x77/0x7f Liberado por la tarea 1: kasan_save_stack+0x33/0x60 kasan_save_track+ 0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x109/0x170 __kasan_slab_free+0x14/0x30 kfree+0xca/0x2b0 free_verifier_state+0xce/0x270 do_check_common+0x4828/0xc7e0 bpf_check+0x 5107/0x9960 bpf_prog_load+0xf0e/0x2690 __sys_bpf+0x1a61/0x49d0 __x64_sys_bpf+ 0x7d/0xc0 do_syscall_64+0xc1/0x1d0 entrada_SYSCALL_64_after_hwframe+0x77/0x7f
References () https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36 - () https://git.kernel.org/stable/c/942901e0fc74ad4b7992ef7ca9336e68d5fd6d36 - Patch
References () https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a - () https://git.kernel.org/stable/c/bf8781ede7bd9a37c0fcabca78976e61300b5a1a - Patch
References () https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e - () https://git.kernel.org/stable/c/bfa86a96912faa0b6142a918db88cc0c738a769e - Patch
References () https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13 - () https://git.kernel.org/stable/c/c28947de2bed40217cf256c5d0d16880054fcf13 - Patch
CWE CWE-416
First Time Linux linux Kernel
Linux
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

29 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-29 16:15

Updated : 2024-11-21 09:33


NVD link : CVE-2024-42073

Mitre link : CVE-2024-42073

CVE.ORG link : CVE-2024-42073


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free