CVE-2024-57801
Published: 15 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Skip restore TC rules for vport rep without loaded flag During driver unload, unregister_netdev is called after unloading vport rep. So, the mlx5e_rep_priv is already freed while trying to get rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free. So add the checking to make sure access the data of vport rep which is still loaded.
Security Summary
CVE-2024-57801 is a use-after-free vulnerability (CWE-416) in the Linux kernel's net/mlx5e driver, which handles Mellanox/NVIDIA ConnectX Ethernet functionality. The issue arises during driver unload when unregister_netdev is called after unloading the vport representor (rep). This leads to attempts to access the already-freed mlx5e_rep_priv structure, such as retrieving rpriv->netdev or walking rpriv->tc_ht, while restoring Traffic Control (TC) rules for a vport rep lacking a loaded flag. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation occurs during the driver unload process, potentially allowing arbitrary code execution, data corruption, or system crashes due to the use-after-free, with high impacts on confidentiality, integrity, and availability in the unchanged security scope.
Mitigation involves applying kernel patches from stable repositories, which add checks to skip TC rule restoration for vport reps without the loaded flag, ensuring data access only occurs when the rep is still loaded. Relevant commits include https://git.kernel.org/stable/c/3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0, https://git.kernel.org/stable/c/47c78d3fc26e38ab805613a0f592dc8a820c7c64, and https://git.kernel.org/stable/c/5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be.
Details
- CWE(s)