{ "threat_severity" : "Moderate", "public_date" : "2024-05-17T00:00:00Z", "bugzilla" : { "description" : "kernel: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work", "id" : "2281257", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281257" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\ncomm \"kworker/0:16\", pid 176, jiffies 4295460353\nhex dump (first 32 bytes):\n00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\nbacktrace (crc 2544ddb9):\n[<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n[<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n[<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n[<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n[<00000000e81fd734>] process_one_work+0x59c/0xf20\n[<00000000ceee9e81>] worker_thread+0x799/0x12c0\n[<00000000bda6fe39>] kthread+0x246/0x300\n[<0000000070056d23>] ret_from_fork+0x34/0x70\n[<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", "CVE-2024-35852 addresses a memory leak in the Linux kernel's mlxsw driver, specifically within the Spectrum ACL TCAM module. The issue occurs when rehash work is canceled while pending, leading to allocated hints not being freed properly. This results in a memory leak that can degrade system performance over time. The problem has been resolved by ensuring that any associated hints are freed when the rehash work is canceled. Users should update their Linux kernel to a version that includes this fix to maintain optimal system performance." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-08T00:00:00Z", "advisory" : "RHSA-2024:4352", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-02T00:00:00Z", "advisory" : "RHSA-2024:4211", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.8.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5281", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.118.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5255", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.67.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-15T00:00:00Z", "advisory" : "RHSA-2024:5363", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.31.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-15T00:00:00Z", "advisory" : "RHSA-2024:5363", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.31.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-08-14T00:00:00Z", "advisory" : "RHSA-2024:5364", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.79.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-08-14T00:00:00Z", "advisory" : "RHSA-2024:5365", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.79.1.rt14.364.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35852\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35852\nhttps://lore.kernel.org/linux-cve-announce/2024051740-CVE-2024-35852-9e9a@gregkh/T" ], "name" : "CVE-2024-35852", "csaw" : false }