CVE-2024-35960
net/mlx5: Properly link new fs rules into the tree
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Properly link new fs rules into the tree
Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.
These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.
This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].
This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/mlx5: vincular correctamente nuevas reglas fs al árbol. Anteriormente, add_rule_fg solo agregaba reglas recién creadas desde el identificador al árbol cuando tenían un recuento de 1. Por otro lado Por otro lado, create_flow_handle se esfuerza por encontrar y hacer referencia a reglas idénticas ya existentes en lugar de crear otras nuevas. Estos dos comportamientos pueden dar lugar a una situación en la que create_flow_handle 1) crea una nueva regla y hace referencia a ella, luego 2) en un paso posterior durante la creación del mismo identificador hace referencia a ella nuevamente, lo que da como resultado una regla con un recuento de 2 que no está vinculada a el árbol, tendrá un padre y una raíz NULL y provocará un bloqueo cuando se elimine el grupo de flujo porque del_sw_hw_rule, invocado al eliminar la regla, asume que nodo->padre es != NULL. Esto sucedió en la naturaleza, debido a otro error relacionado con el manejo incorrecto de identificadores de pkt_reformat duplicados, lo que llevó al código en create_flow_handle a hacer referencia incorrecta a una regla recién agregada en el mismo identificador de flujo, lo que resultó en el problema descrito anteriormente. Los detalles completos están en [1]. Este parche cambia add_rule_fg para agregar nuevas reglas sin padres al árbol, inicializándolas correctamente y evitando el bloqueo. Esto lo hace más coherente con la forma en que se agregan reglas a un FTE en create_flow_handle.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-20 CVE Published
- 2024-05-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (13)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-35960 | 2024-07-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2281920 | 2024-07-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 4.19.313 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.19.313" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.4.275" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.10.216" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 5.15.156 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 5.15.156" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 6.1.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.1.87" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.6.28" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.8.7" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.10 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 6.9" | en |
Affected
| ||||||