CVE-2024-42073 - Addressing a Vulnerability in the Linux Kernel: Memory Corruption on Spectrum-4 Systems

A vulnerability has been identified and resolved in the Linux kernel, specifically in the mlxsw: spectrum_buffers. This vulnerability led to memory corruption on Spectrum-4 systems. This post will dive into the details of the vulnerability, discuss the code snippet that fixes it, and provide links to the relevant original references.

Exploit Details

The vulnerability involves two shared buffer operations that make use of the Shared Buffer Status Register (SBSR). The register has two masks of 256 bits to denote on which ingress/egress ports the register should operate. Spectrum-4 systems have more than 256 ports, so the register was extended by a cited commit with a new 'port_page' field.

However, when filling the register's payload, the driver specifies the ports as absolute numbers and not relative to the first port of the port page, resulting in memory corruptions [1].

The vulnerability can be triggered when Snapshot and Clearmax commands are used on a port that belongs to a higher port_page:

# devlink sb occupancy snapshot pci/000:01:00.
# devlink sb occupancy clearmax pci/000:01:00.

To address the issue, ports must be specified relative to the first port of the port page, which mitigates the memory corruption vulnerability.

Code Snippet

The fix consists of changing the code in the mlxsw_sp_sb_occ_snapshot function to specify the ports relative to the first port of the port page:

-	in_port = (index & ~3) + config->pool_size - 1;
+	in_port = (index & ~3) + config->port_size - 1;
 	if (mlxsw_sp_port_index_get(mlxsw_sp_port) > in_port)
 		return ;

This change ensures that the Shared Buffer Status Register operates correctly on systems with more than 256 ports, preventing memory corruption.

Original References

The vulnerability and its subsequent fix can be further explored in the original bug report and patch submission:

1. Bug report: https://lore.kernel.org/patchwork/patch/1567626/
2. Patch submission: https://lore.kernel.org/patchwork/patch/1567637/

Conclusion

CVE-2024-42073 addresses a critical vulnerability in the Linux kernel, specifically in the mlxsw: spectrum_buffers. Resolving this vulnerability prevents memory corruption on Spectrum-4 systems, ensuring the kernel operates correctly and safely. By specifying the ports relative to the first port of the port page, the Shared Buffer Status Register now functions properly on systems with more than 256 ports. The provided code snippet and links to original references offer a deeper understanding of the issue and its resolution.

Timeline

Published on: 07/29/2024 16:15:06 UTC
Last modified on: 08/02/2024 04:54:32 UTC