| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024073031-CVE-2024-42142-a3a2@gregkh> Date: Tue, 30 Jul 2024 09:48:00 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-42142: net/mlx5: E-switch, Create ingress ACL when needed Description =========== In the Linux kernel, the following vulnerability has been resolved: net/mlx5: E-switch, Create ingress ACL when needed Currently, ingress acl is used for three features. It is created only when vport metadata match and prio tag are enabled. But active-backup lag mode also uses it. It is independent of vport metadata match and prio tag. And vport metadata match can be disabled using the following devlink command: # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \ value false cmode runtime If ingress acl is not created, will hit panic when creating drop rule for active-backup lag mode. If always create it, there will be about 5% performance degradation. Fix it by creating ingress acl when needed. If esw_port_metadata is true, ingress acl exists, then create drop rule using existing ingress acl. If esw_port_metadata is false, create ingress acl and then create drop rule. The Linux kernel CVE team has assigned CVE-2024-42142 to this issue. Affected and fixed versions =========================== Issue introduced in 5.18 with commit 1749c4c51c16 and fixed in 6.1.98 with commit bc3ff8d3c050 Issue introduced in 5.18 with commit 1749c4c51c16 and fixed in 6.6.39 with commit 3e3551f87029 Issue introduced in 5.18 with commit 1749c4c51c16 and fixed in 6.9.9 with commit 83bc1a129f7f Issue introduced in 5.18 with commit 1749c4c51c16 and fixed in 6.10 with commit b20c2fb45470 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-42142 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595 https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324 https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320 https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2
Powered by blists - more mailing lists