Rapid7 Vulnerability & Exploit Database

Oracle Linux: (CVE-2024-26586) ELSA-2024-2394: kernel security, bug fix, and enhancement update

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Oracle Linux: (CVE-2024-26586) ELSA-2024-2394: kernel security, bug fix, and enhancement update

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
02/22/2024
Created
05/21/2024
Added
05/14/2024
Modified
05/14/2024

Description

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_acl_tcam: Fix stack corruption

When tc filters are first added to a net device, the corresponding local

port gets bound to an ACL group in the device. The group contains a list

of ACLs. In turn, each ACL points to a different TCAM region where the

filters are stored. During forwarding, the ACLs are sequentially

evaluated until a match is found.

One reason to place filters in different regions is when they are added

with decreasing priorities and in an alternating order so that two

consecutive filters can never fit in the same region because of their

key usage.

In Spectrum-2 and newer ASICs the firmware started to report that the

maximum number of ACLs in a group is more than 16, but the layout of the

register that configures ACL groups (PAGT) was not updated to account

for that. It is therefore possible to hit stack corruption [1] in the

rare case where more than 16 ACLs in a group are required.

Fix by limiting the maximum ACL group size to the minimum between what

the firmware reports and the maximum ACLs that fit in the PAGT register.

Add a test case to make sure the machine does not crash when this

condition is hit.

[1]

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120

[...]

dump_stack_lvl+0x36/0x50

panic+0x305/0x330

__stack_chk_fail+0x15/0x20

mlxsw_sp_acl_tcam_group_update+0x116/0x120

mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110

mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20

mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0

mlxsw_sp_acl_rule_add+0x47/0x240

mlxsw_sp_flower_replace+0x1a9/0x1d0

tc_setup_cb_add+0xdc/0x1c0

fl_hw_replace_filter+0x146/0x1f0

fl_change+0xc17/0x1360

tc_new_tfilter+0x472/0xb90

rtnetlink_rcv_msg+0x313/0x3b0

netlink_rcv_skb+0x58/0x100

netlink_unicast+0x244/0x390

netlink_sendmsg+0x1e4/0x440

____sys_sendmsg+0x164/0x260

___sys_sendmsg+0x9a/0xe0

__sys_sendmsg+0x7a/0xc0

do_syscall_64+0x40/0xe0

entry_SYSCALL_64_after_hwframe+0x63/0x6b

Solution(s)

  • oracle-linux-upgrade-kernel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;