CVE-2024-50252

CVE Details

Release Date:

2024-11-09

Description

In the Linux kernel, the following vulnerability has been resolved:\nmlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address\nThe device stores IPv6 addresses that are used for encapsulation in\nlinear memory that is managed by the driver.\nChanging the remote address of an ip6gre net device never worked\nproperly, but since cited commit the following reproducer [1] would\nresult in a warning [2] and a memory leak [3]. The problem is that the\nnew remote address is never added by the driver to its hash table (and\ntherefore the device) and the old address is never removed from it.\nFix by programming the new address when the configuration of the ip6gre\nnet device changes and removing the old one. If the address did not\nchange, then the above would result in increasing the reference count of\nthe address and then decreasing it.\n[1]\n# ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit\n# ip link set dev bla type ip6gre remote 2001:db8:3::1\n# ip link del dev bla\n# devlink dev reload pci/0000:01:00.0\n[2]\nWARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0\nModules linked in:\nCPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nRIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0\n[...]\nCall Trace:\n\nmlxsw_sp_router_netdevice_event+0x55f/0x1240\nnotifier_call_chain+0x5a/0xd0\ncall_netdevice_notifiers_info+0x39/0x90\nunregister_netdevice_many_notify+0x63e/0x9d0\nrtnl_dellink+0x16b/0x3a0\nrtnetlink_rcv_msg+0x142/0x3f0\nnetlink_rcv_skb+0x50/0x100\nnetlink_unicast+0x242/0x390\nnetlink_sendmsg+0x1de/0x420\n____sys_sendmsg+0x2bd/0x320\n___sys_sendmsg+0x9a/0xe0\n__sys_sendmsg+0x7a/0xd0\ndo_syscall_64+0x9e/0x1a0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n[3]\nunreferenced object 0xffff898081f597a0 (size 32):\ncomm 'ip', pid 1626, jiffies 4294719324\nhex dump (first 32 bytes):\n20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ...............\n21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia.............\nbacktrace (crc fd9be911):\n[<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260\n[<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340\n[<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240\n[<00000000743e7757>] notifier_call_chain+0x5a/0xd0\n[<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90\n[<000000002509645d>] register_netdevice+0x5f7/0x7a0\n[<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130\n[<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120\n[<000000004df7c7cc>] rtnl_newlink+0x471/0xa20\n[<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0\n[<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100\n[<00000000908bca63>] netlink_unicast+0x242/0x390\n[<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420\n[<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320\n[<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0\n[<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0

See more information about CVE-2024-50252 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 9 (kernel)	ELSA-2025-0059	2025-01-10