CVE-2024-36281

net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules

rx_create no longer allocates a modify_hdr instance that needs to be
cleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer
dereference. A leak in the rules also previously occurred since there are
now two rules populated related to status.

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 109907067 P4D 109907067 PUD 116890067 PMD 0
Oops: 0000 [#1] SMP
CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70
<snip>
Call Trace:
<TASK>
? show_regs+0x60/0x70
? __die+0x24/0x70
? page_fault_oops+0x15f/0x430
? free_to_partial_list.constprop.0+0x79/0x150
? do_user_addr_fault+0x2c9/0x5c0
? exc_page_fault+0x63/0x110
? asm_exc_page_fault+0x27/0x30
? mlx5_modify_header_dealloc+0xd/0x70
rx_create+0x374/0x590
rx_add_rule+0x3ad/0x500
? rx_add_rule+0x3ad/0x500
? mlx5_cmd_exec+0x2c/0x40
? mlx5_create_ipsec_obj+0xd6/0x200
mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0
mlx5e_xfrm_add_state+0x426/0xc00
<snip>

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-21 CVE Reserved
2024-06-21 CVE Published
2024-09-10 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/20af7afcd8b85a4cb413072d631bf9a6469eee3a	Vuln. Introduced
https://git.kernel.org/stable/c/94af50c0a9bb961fe93cf0fdd14eb0883da86721	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b0a15cde37a8388e57573686f650a17208ae1212	2024-06-12
https://git.kernel.org/stable/c/cc9ac559f2e21894c21ac5b0c85fb24a5cab266c	2024-06-12
https://git.kernel.org/stable/c/16d66a4fa81da07bc4ed19f4e53b87263c2f8d38	2024-05-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.8 < 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.8 < 6.6.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.9.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.9.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.10"		en		Affected