FKIE_CVE-2023-54216

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2025-12-30 13:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix using eswitch mapping in nic mode Cited patch is using the eswitch object mapping pool while in nic mode where it isn't initialized. This results in the trace below [0]. Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not. [0]: [ 826.446057] ================================================================== [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233 [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dump_stack_lvl+0x33/0x50 [ 826.450650] print_report+0xc2/0x610 [ 826.450998] ? __virt_addr_valid+0xb1/0x130 [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.451935] kasan_report+0xae/0xe0 [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.453368] ? __kmalloc_node+0x5a/0x120 [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core] [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core] [ 826.455011] ? mutex_unlock+0x80/0xd0 [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core] [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core] [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core] [ 826.457636] ? __kasan_kmalloc+0x77/0x90 [ 826.458000] ? __kmalloc+0x57/0x120 [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core] [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core] [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core] [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core] [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core] [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core] [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0 [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core] [ 826.463163] ? kasan_save_stack+0x2e/0x40 [ 826.463534] ? down_read+0x115/0x1b0 [ 826.463878] ? down_write_killable+0x110/0x110 [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core] [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core] [ 826.465878] tc_setup_cb_add+0x112/0x250 [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower] [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower] [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower] [ 826.467636] ? sock_def_readable+0x89/0x120 [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.468509] ? kasan_unpoison+0x23/0x50 [ 826.468873] ? get_random_u16+0x180/0x180 [ 826.469244] ? __radix_tree_lookup+0x2b/0x130 [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower] [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower] [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.471427] tc_new_tfilter+0x644/0x1050 [ 826.471795] ? tc_get_tfilter+0x860/0x860 [ 826.472170] ? __thaw_task+0x130/0x130 [ 826.472525] ? arch_stack_walk+0x98/0xf0 [ 826.472892] ? cap_capable+0x9f/0xd0 [ 826.473235] ? security_capable+0x47/0x60 [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550 [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? __stack_depot_save+0x35/0x4c0 [ 826.474779] ? kasan_save_stack+0x2e/0x40 [ 826.475149] ? kasan_save_stack+0x1e/0x40 [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0 [ 826.475939] ? task_work_add+0x77/0x1c0 [ 826.476305] netlink_rcv_skb+0xe0/0x210 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix using eswitch mapping in nic mode\n\nCited patch is using the eswitch object mapping pool while\nin nic mode where it isn\u0027t initialized. This results in the\ntrace below [0].\n\nFix that by using either nic or eswitch object mapping pool\ndepending if eswitch is enabled or not.\n\n[0]:\n[  826.446057] ==================================================================\n[  826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233\n\n[  826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G        W          6.3.0-rc6+ #1\n[  826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  826.449785] Call Trace:\n[  826.450052]  \u003cTASK\u003e\n[  826.450302]  dump_stack_lvl+0x33/0x50\n[  826.450650]  print_report+0xc2/0x610\n[  826.450998]  ? __virt_addr_valid+0xb1/0x130\n[  826.451385]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.451935]  kasan_report+0xae/0xe0\n[  826.452276]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.452829]  mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.453368]  ? __kmalloc_node+0x5a/0x120\n[  826.453733]  esw_add_restore_rule+0x20f/0x270 [mlx5_core]\n[  826.454288]  ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]\n[  826.455011]  ? mutex_unlock+0x80/0xd0\n[  826.455361]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.455862]  ? mapping_add+0x2cb/0x440 [mlx5_core]\n[  826.456425]  mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]\n[  826.457058]  ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]\n[  826.457636]  ? __kasan_kmalloc+0x77/0x90\n[  826.458000]  ? __kmalloc+0x57/0x120\n[  826.458336]  mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]\n[  826.458916]  ? ct_kernel_enter.constprop.0+0x48/0xa0\n[  826.459360]  ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]\n[  826.459933]  ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]\n[  826.460507]  ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]\n[  826.461046]  ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]\n[  826.461635]  mlx5e_configure_flower+0x969/0x2110 [mlx5_core]\n[  826.462217]  ? _raw_spin_lock_bh+0x85/0xe0\n[  826.462597]  ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]\n[  826.463163]  ? kasan_save_stack+0x2e/0x40\n[  826.463534]  ? down_read+0x115/0x1b0\n[  826.463878]  ? down_write_killable+0x110/0x110\n[  826.464288]  ? tc_setup_action.part.0+0x9f/0x3b0\n[  826.464701]  ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]\n[  826.465253]  ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]\n[  826.465878]  tc_setup_cb_add+0x112/0x250\n[  826.466247]  fl_hw_replace_filter+0x230/0x310 [cls_flower]\n[  826.466724]  ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]\n[  826.467212]  fl_change+0x14e1/0x2030 [cls_flower]\n[  826.467636]  ? sock_def_readable+0x89/0x120\n[  826.468019]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.468509]  ? kasan_unpoison+0x23/0x50\n[  826.468873]  ? get_random_u16+0x180/0x180\n[  826.469244]  ? __radix_tree_lookup+0x2b/0x130\n[  826.469640]  ? fl_get+0x7b/0x140 [cls_flower]\n[  826.470042]  ? fl_mask_put+0x200/0x200 [cls_flower]\n[  826.470478]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.470973]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.471427]  tc_new_tfilter+0x644/0x1050\n[  826.471795]  ? tc_get_tfilter+0x860/0x860\n[  826.472170]  ? __thaw_task+0x130/0x130\n[  826.472525]  ? arch_stack_walk+0x98/0xf0\n[  826.472892]  ? cap_capable+0x9f/0xd0\n[  826.473235]  ? security_capable+0x47/0x60\n[  826.473608]  rtnetlink_rcv_msg+0x1d5/0x550\n[  826.473985]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[  826.474383]  ? __stack_depot_save+0x35/0x4c0\n[  826.474779]  ? kasan_save_stack+0x2e/0x40\n[  826.475149]  ? kasan_save_stack+0x1e/0x40\n[  826.475518]  ? __kasan_record_aux_stack+0x9f/0xb0\n[  826.475939]  ? task_work_add+0x77/0x1c0\n[  826.476305]  netlink_rcv_skb+0xe0/0x210\n---truncated---"
    }
  ],
  "id": "CVE-2023-54216",
  "lastModified": "2025-12-30T13:16:09.850",
  "metrics": {},
  "published": "2025-12-30T13:16:09.850",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.