CVE-2024-35854

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35854
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35854.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-35854
Downstream
Related
Published
2024-05-17T14:47:30.775Z
Modified
2025-11-28T02:34:25.211191Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
Details

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrumacltcam: Fix possible use-after-free during rehash

The rehash delayed work migrates filters from one region to another according to the number of available credits.

The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration.

The destruction of a region that still has filters referencing it can result in a use-after-free [1].

Fix by not destroying the region if migration failed.

[1] BUG: KASAN: slab-use-after-free in mlxswspaclctcamregionentryremove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858

CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxswcore mlxswspacltcamvregionrehashwork Call Trace: <TASK> dumpstacklvl+0xc6/0x120 printreport+0xce/0x670 kasanreport+0xd7/0x110 mlxswspaclctcamregionentryremove+0x21d/0x230 mlxswspaclctcamentrydel+0x2e/0x70 mlxswspaclatcamentrydel+0x81/0x210 mlxswspacltcamvchunkmigrateall+0x3cd/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromfork_asm+0x1a/0x30 </TASK>

Allocated by task 174: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 _kasankmalloc+0x8f/0xa0 _kmalloc+0x19c/0x360 mlxswspacltcamregioncreate+0xdf/0x9c0 mlxswspacltcamvregionrehashwork+0x954/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30

Freed by task 7: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 poisonslabobject+0x102/0x170 _kasanslabfree+0x14/0x30 kfree+0xc1/0x290 mlxswspacltcamregiondestroy+0x272/0x310 mlxswspacltcamvregionrehashwork+0x731/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromfork_asm+0x1a/0x30

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35854.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c9c9af91f1d9a636aecc55302c792538e549a430
Fixed
e118e7ea24d1392878ef85926627c6bc640c4388
Fixed
a429a912d6c779807f4d72a6cc0a1efaaa3613e1
Fixed
4c89642ca47fb620914780c7c51d8d1248201121
Fixed
813e2ab753a8f8c243a39ede20c2e0adc15f3887
Fixed
311eeaa7b9e26aba5b3d57b09859f07d8e9fc049
Fixed
a02687044e124f8ccb427cd3632124a4e1a7d7c1
Fixed
54225988889931467a9b55fdbef534079b665519

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.4.275
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.216
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.158
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.90
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.30
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.9