CVE-2024-42073 highlights a newly patched critical vulnerability found in the Linux kernel's mlxsw (Mellanox Switch) driver, specifically affecting Spectrum-4 devices with large port counts. In this deep dive, we’ll cover what the bug is, how it happens, the technical exploit details, and how the fix addresses it. This post is crafted in plain American English, goes beneath the surface, and includes code insights for curious sysadmins and security engineers.
Summary – What Happened?
On Mellanox Spectrum-4-based systems, some special commands to check or clear shared buffer occupancy could corrupt memory—due to mishandled port number calculations in a kernel driver. The kernel’s memory manager (KASAN, Kernel Address Sanitizer) caught the error as a slab use-after-free.
The issue is tracked as CVE-2024-42073, and was fixed in recent Linux kernel patches.
Affected: Mellanox Spectrum-4 (high-end Ethernet switches) running Linux with mlxsw driver.
- Risk: Local attackers (with access to devlink or similar interfaces) could cause memory corruption in the kernel.
Impact: Kernel crashes (DoS), or in some scenarios, possibly execute code within the kernel.
- Trigger: Running buffer occupancy snapshot/clear on devices with more than 256 ports.
Background
Linux supports “shared buffer” monitoring on hardware switches using the devlink tool, which queries buffer utilization per port.
Commands:
devlink sb occupancy snapshot pci/000:01:00.
devlink sb occupancy clearmax pci/000:01:00.
On Spectrum-4, the “Shared Buffer Status Register” (SBSR) has two 256-bit masks that cover 256 ports. Starting from Spectrum-4, the switch can have more than 256 ports, so a new “port_page” field was added to handle larger port ranges.
Bug: The driver should compute port indexes *relative* to the port page, not as absolute numbers. Using absolute numbers caused driver code to write outside expected memory boundaries—classic buffer overrun.
Here’s a section of the reported crash
BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+xb6d/xbc
Read of size 1 at addr ffff8881068cb00f by task devlink/1566
KASAN (Kernel Address SANitizer) detected a use-after-free during a buffer occupancy operation.
If you have shell/root on an affected machine, use
devlink sb occupancy snapshot pci/000:01:00.
On a system with >256 ports (Spectrum-4), this command could corrupt memory by accessing freed memory.
Vulnerable Code Snippet
(Simplified, for illustration—not full driver code)
// Incorrect (vulnerable)
register->mask = 1 << absolute_port_number; // Wrong: could overflow mask array
// Correct (fixed)
u32 relative_port = absolute_port_number - port_page_first_port;
register->mask = 1 << relative_port; // Properly indexed within the current port page
The bug comes from not subtracting the page’s starting port, so values go well out of bounds.
Triggers buffer operations on Spectrum-4 switch.
- Driver writes out of memory bounds. Most commonly, this causes a kernel panic; in rare cases, it could be leveraged for code execution (theoretically).
- Requires a custom kernel or hardware, so real-world exploits are limited to advanced attackers or insiders.
The Fix
The developer’s patch ensures port numbers are calculated *relative* to their port page base—so the shared buffer register operations stay in-bounds.
Fix commit:
mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems
Original Fix and Discussion:
devlink Utility Documentation:
CVE Record:
Linux KASAN Documentation:
If you run Mellanox-based switches using Linux, update your kernel ASAP.
- Only local users with devlink or netadmin privileges can reliably trigger this, but remote exploits could be possible (with other vulnerabilities combined).
- Kernel use-after-free and buffer overflow bugs are always serious; this one is hardware-specific but high-impact for those affected.
Want to Dig Deeper?
Check out the full Linux kernel git history for more changes to mlxsw.
Stay safe, patch quickly, and keep those kernel drivers up to date!
*This analysis is original, focusing on explanatory clarity and code insights. For questions or details about Spectrum-4 architecture or the mlxsw driver, leave a comment below or reach out directly.*
Timeline
Published on: 07/29/2024 16:15:06 UTC
Last modified on: 08/02/2024 04:54:32 UTC