CVE-2023-54262
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-54262
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54262.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-54262
- Downstream
- Published
- 2025-12-30T12:15:55.556Z
- Modified
- 2025-12-31T00:36:24.488224Z
- Summary
- net/mlx5e: Don't clone flow post action attributes second time
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't clone flow post action attributes second time
The code already clones post action attributes in mlx5ecloneflowattrforpostact(). Creating another copy in mlx5etcpostactadd() is a erroneous leftover from original implementation. Instead, assign handle->attribute to post_attr provided by the caller. Note that cloning the attribute second time is not just wasteful but also causes issues like second copy not being properly updated in neigh update code which leads to following use-after-free:
Feb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5cmdsetfte+0x200d/0x24c0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasanreport+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansavestack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansettrack+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: kasankmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansavestack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansettrack+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansavefreeinfo+0x2a/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: _kasanslabfree+0x11a/0x1b0 Feb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5core 0000:08:00.0: mlx5cmdouterr:803:(pid 8833): SETFLOWTABLEENTRY(0x936) opmod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22) Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5core 0000:08:00.0 enp8s0f0: Failed to add post action rule Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5core 0000:08:00.0: mlx5etcencapflowsadd:190:(pid 8833): Failed to update flow post acts, -22 Feb 21 09:02:00 c-237-177-40-045 kernel: Call Trace: Feb 21 09:02:00 c-237-177-40-045 kernel: <TASK> Feb 21 09:02:00 c-237-177-40-045 kernel: dumpstacklvl+0x57/0x7d Feb 21 09:02:00 c-237-177-40-045 kernel: printreport+0x170/0x471 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5cmdsetfte+0x200d/0x24c0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasanreport+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5cmdsetfte+0x200d/0x24c0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5cmdsetfte+0x200d/0x24c0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? _moduleaddress.part.0+0x62/0x200 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5cmdstubcreateflowtable+0xd0/0xd0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? _rawspinlockinit+0x3b/0x110 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5cmdcreatefte+0x80/0xb0 [mlx5core]
Feb 21 09:02:00 c-237-177-40-045 kernel: addrulefg+0xe80/0x19c0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476: Feb 21 09:02:00 c-237-177-40-045 kernel: kasansavestack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasansettrack+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: _kasankmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5packetreformatalloc+0x7b/0x230 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5etctuncreateheaderipv4+0x977/0xf10 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5eattachencap+0x15b4/0x1e10 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: postprocessattr+0x305/0xa30 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5etcaddfdbflow+0x4c0/0xcf0 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: _mlx5eaddfdbflow+0x7cf/0xe90 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5econfigureflower+0xcaa/0x4b90 [mlx5core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5erepsetuptcclsflower+0x99/0x1b0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5erepsetuptccb+0x133/0x1e0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833: Feb 21 09:02:00 c-237-177-40-045 kernel: kasansaves ---truncated---
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54262.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e
- https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8
- https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf
- https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54262.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-54262
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8300f225268be9ee2c0daf5a3f23929fcdcbf213Fixedc382b693ffcb1f1ebf60d76ab9dedfe9ea13eedfFixed8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8Fixed2d57a514f9ab7d2d40f49b02d93edfcec8c78a9eFixede9fce818fe003b6c527f25517b9ac08eb4661b5d