CVE-2024-35855 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device.
As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1].
Fix by closing the race and perform the activity query under the 'vregion->lock' mutex.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181
CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work Call Trace: dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 mlxsw_sp_acl_rule_activity_update_work+0x219/0x400 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
Allocated by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
Freed by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/30/2024
The vulnerability CVE-2024-35855 affects the Linux kernel's Mellanox Spectrum ACL TCAM implementation and represents a use-after-free condition that can lead to system instability or potential privilege escalation. This flaw occurs within the mlxsw driver which manages Mellanox Spectrum network switches. The issue manifests during rule activity updates when the system traverses a list of configured rules to query their activity status from the hardware device. The core problem arises from concurrent access patterns where the activity update work can access memory that has already been freed by the rehash delayed work process, creating a classic race condition scenario.
The technical implementation of this vulnerability involves the mlxsw_sp_acl_tcam_flower_rule_activity_get function which attempts to access ventry->entry without proper synchronization. The race condition occurs because multiple kernel threads operate concurrently on the same data structures - specifically the vregion->lock mutex is not properly utilized during the activity query phase. When the rehash work migrates entries and frees old memory structures, the activity update work may still attempt to dereference pointers to these now-invalid memory locations. This results in a slab-use-after-free error as detected by Kernel Address Sanitizer (KASAN), where the system tries to read 8 bytes of memory at address ffff8881054ed808 which has already been freed by the rehash operation.
The operational impact of this vulnerability extends beyond simple system crashes or hangs. The use-after-free condition can potentially be exploited by malicious actors to achieve privilege escalation or denial of service attacks within systems running affected kernel versions. The vulnerability affects Mellanox Spectrum switch drivers and impacts any system utilizing these network hardware components, particularly those implementing ACL (Access Control List) rule management with TCAM (Ternary Content Addressable Memory) tables. The specific kernel version mentioned demonstrates this issue exists in the 6.9.0-rc2 development cycle, indicating it may be present in upcoming stable releases and could affect production environments using Mellanox networking equipment.
The fix implemented addresses the root cause by ensuring proper synchronization through the vregion->lock mutex during the activity query process. This approach follows established security practices for concurrent access control and memory management in kernel space. The solution prevents the race condition by ensuring that activity queries occur under the same lock protection that governs entry modifications, thereby preventing access to freed memory structures. This fix aligns with CWE-362, which specifically addresses race conditions in concurrent programming, and follows ATT&CK framework techniques related to privilege escalation through kernel vulnerabilities. The mitigation strategy ensures that all access to rule entry structures occurs within proper synchronization boundaries, preventing the use-after-free scenario that could lead to system compromise or denial of service conditions.