CVE-2024-50252 in Linuxinfo

Summary

by MITRE • 11/09/2024

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address

The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver.

Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would
result in a warning [2] and a memory leak [3]. The problem is that the
new remote address is never added by the driver to its hash table (and therefore the device) and the old address is never removed from it.

Fix by programming the new address when the configuration of the ip6gre net device changes and removing the old one. If the address did not change, then the above would result in increasing the reference count of the address and then decreasing it.

[1]
# ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit # ip link set dev bla type ip6gre remote 2001:db8:3::1 # ip link del dev bla # devlink dev reload pci/0000:01:00.0

[2]
WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0 Modules linked in: CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151 Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0 [...]
Call Trace: mlxsw_sp_router_netdevice_event+0x55f/0x1240 notifier_call_chain+0x5a/0xd0 call_netdevice_notifiers_info+0x39/0x90 unregister_netdevice_many_notify+0x63e/0x9d0 rtnl_dellink+0x16b/0x3a0 rtnetlink_rcv_msg+0x142/0x3f0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x242/0x390 netlink_sendmsg+0x1de/0x420 ____sys_sendmsg+0x2bd/0x320 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x9e/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[3]
unreferenced object 0xffff898081f597a0 (size 32): comm "ip", pid 1626, jiffies 4294719324 hex dump (first 32 bytes): 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ............... 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia............. backtrace (crc fd9be911): [] __kmalloc_cache_noprof+0x1da/0x260
[] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340
[] mlxsw_sp_router_netdevice_event+0x47b/0x1240
[] notifier_call_chain+0x5a/0xd0
[] call_netdevice_notifiers_info+0x39/0x90
[] register_netdevice+0x5f7/0x7a0
[] ip6gre_newlink_common.isra.0+0x65/0x130
[] ip6gre_newlink+0x72/0x120
[] rtnl_newlink+0x471/0xa20
[] rtnetlink_rcv_msg+0x142/0x3f0
[] netlink_rcv_skb+0x50/0x100
[] netlink_unicast+0x242/0x390
[] netlink_sendmsg+0x1de/0x420
[] ____sys_sendmsg+0x2bd/0x320
[] ___sys_sendmsg+0x9a/0xe0
[] __sys_sendmsg+0x7a/0xd0

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 10/02/2025

The vulnerability described in CVE-2024-50252 affects the Linux kernel's Mellanox Spectrum driver, specifically within the mlxsw spectrum_ipip module responsible for handling IPv6 GRE (Generic Routing Encapsulation) network devices. This flaw manifests as a memory leak occurring when attempting to change the remote IPv6 address of an ip6gre net device. The root cause lies in improper management of IPv6 address references within the driver's hash table, where the new address is never added to the table during configuration changes while the old address remains unreleased.

The technical implementation flaw stems from the driver's failure to properly synchronize address state changes within its internal data structures. When an ip6gre device configuration is modified to update the remote IPv6 address, the driver correctly processes the new address but neglects to remove the previous address from its hash table. This results in a dangling reference to the old IPv6 address, which continues to consume memory resources even though it's no longer associated with any active device configuration. The issue is particularly insidious because it only becomes apparent during device teardown operations, as demonstrated by the reproducer that involves creating an ip6gre device, changing its remote address, and then deleting the device.

The operational impact of this vulnerability extends beyond simple memory consumption, as it represents a potential denial-of-service vector and resource exhaustion threat. The memory leak occurs in the mlxsw_sp_ipv6_addr_put function, which is part of the driver's IPv6 address management subsystem, and the kernel's memory management subsystem generates warnings indicating the unreferenced object. According to CWE guidelines, this represents a memory leak vulnerability (CWE-401) that can be classified as a resource leak, specifically affecting the kernel's network device management capabilities. The ATT&CK framework would categorize this under privilege escalation or resource exhaustion techniques, as the vulnerability can be exploited to consume system resources through repeated configuration changes.

Mitigation strategies for this vulnerability involve applying the kernel patch that ensures proper address management during ip6gre device configuration changes. The fix implements a two-step process where the driver first programs the new IPv6 address into its hash table upon configuration updates and then removes the old address from the table. If the address remains unchanged, the system appropriately increments and decrements reference counts rather than creating memory leaks. System administrators should prioritize updating to kernel versions containing this fix, particularly in environments utilizing Mellanox Spectrum network hardware where ip6gre tunneling is employed. Organizations should also implement monitoring for memory allocation warnings and kernel messages related to unreferenced objects to detect potential exploitation attempts. The vulnerability underscores the importance of proper reference counting and resource management in kernel modules, particularly those handling network device configurations and address management operations.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00218

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!