// For flags

CVE-2024-35960

net/mlx5: Properly link new fs rules into the tree

Severity Score

9.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Properly link new fs rules into the tree

Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.

These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.

This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].

This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/mlx5: vincular correctamente nuevas reglas fs al árbol. Anteriormente, add_rule_fg solo agregaba reglas recién creadas desde el identificador al árbol cuando tenían un recuento de 1. Por otro lado Por otro lado, create_flow_handle se esfuerza por encontrar y hacer referencia a reglas idénticas ya existentes en lugar de crear otras nuevas. Estos dos comportamientos pueden dar lugar a una situación en la que create_flow_handle 1) crea una nueva regla y hace referencia a ella, luego 2) en un paso posterior durante la creación del mismo identificador hace referencia a ella nuevamente, lo que da como resultado una regla con un recuento de 2 que no está vinculada a el árbol, tendrá un padre y una raíz NULL y provocará un bloqueo cuando se elimine el grupo de flujo porque del_sw_hw_rule, invocado al eliminar la regla, asume que nodo->padre es != NULL. Esto sucedió en la naturaleza, debido a otro error relacionado con el manejo incorrecto de identificadores de pkt_reformat duplicados, lo que llevó al código en create_flow_handle a hacer referencia incorrecta a una regla recién agregada en el mismo identificador de flujo, lo que resultó en el problema descrito anteriormente. Los detalles completos están en [1]. Este parche cambia add_rule_fg para agregar nuevas reglas sin padres al árbol, inicializándolas correctamente y evitando el bloqueo. Esto lo hace más coherente con la forma en que se agregan reglas a un FTE en create_flow_handle.

CVE-2024-35960 is a vulnerability in the Linux kernel's Mellanox MLX5 driver that affects flow steering rule handling. When identical rules are created and referenced multiple times, they can fail to properly link into the rule tree, leaving them uninitialized. This can cause system crashes during rule deletion due to invalid references. The issue has been fixed by ensuring all newly created rules are properly initialized and linked. Updating to a patched kernel version resolves the problem and ensures system stability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-17 CVE Reserved
  • 2024-05-20 CVE Published
  • 2024-05-21 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 4.19.313
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.19.313"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 5.4.275
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.4.275"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 5.10.216
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.10.216"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 5.15.156
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.15.156"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 6.1.87
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.1.87"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 6.6.28
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.6.28"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 6.8.7
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.8.7"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.10 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.9"
en
Affected