CVE-2024-35854

2024-05-1700:00:00

ubuntu.com

linux kernel

vulnerability

use-after-free

migration

region destruction

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved: mlxsw:
spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash
delayed work migrates filters from one region to another according to the
number of available credits. The migrated from region is destroyed at the
end of the work if the number of credits is non-negative as the assumption
is that this is indicative of migration being complete. This assumption is
incorrect as a non-negative number of credits can also be the result of a
failed migration. The destruction of a region that still has filters
referencing it can result in a use-after-free [1]. Fix by not destroying
the region if migration failed. [1] BUG: KASAN: slab-use-after-free in
mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr
ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm:
kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware
name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace:
<TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670
kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70
mlxsw_sp_acl_atcam_entry_del+0x81/0x210
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50
mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by
task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360
mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0
mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7:
kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170
__kasan_slab_free+0x14/0x30 kfree+0xc1/0x290
mlxsw_sp_acl_tcam_region_destroy+0x272/0x310
mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300
process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchlinux< 5.4.0-189.209UNKNOWN
ubuntu22.04noarchlinux< 5.15.0-116.126UNKNOWN
ubuntu24.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux-aws< 5.4.0-1128.138UNKNOWN
ubuntu22.04noarchlinux-aws< 5.15.0-1065.71UNKNOWN
ubuntu24.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws-5.15< 5.15.0-1065.71~20.04.1UNKNOWN
ubuntu18.04noarchlinux-aws-5.4< anyUNKNOWN
ubuntu22.04noarchlinux-aws-6.5< anyUNKNOWN
ubuntu20.04noarchlinux-azure< 5.4.0-1133.140UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	linux	< 5.4.0-189.209	UNKNOWN
ubuntu	22.04	noarch	linux	< 5.15.0-116.126	UNKNOWN
ubuntu	24.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< 5.4.0-1128.138	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< 5.15.0-1065.71	UNKNOWN
ubuntu	24.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws-5.15	< 5.15.0-1065.71~20.04.1	UNKNOWN
ubuntu	18.04	noarch	linux-aws-5.4	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws-6.5	< any	UNKNOWN
ubuntu	20.04	noarch	linux-azure	< 5.4.0-1133.140	UNKNOWN