CVE-2024-43880 (GCVE-0-2024-43880)

Vulnerability from cvelistv5 – Published: 2024-08-21 00:06 – Updated: 2026-05-11 20:31
VLAI
Title
mlxsw: spectrum_acl_erp: Fix object nesting warning
Summary
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_erp: Fix object nesting warning ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can contain more ACLs (i.e., tc filters), but the number of masks in each region (i.e., tc chain) is limited. In order to mitigate the effects of the above limitation, the device allows filters to share a single mask if their masks only differ in up to 8 consecutive bits. For example, dst_ip/25 can be represented using dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the number of masks being used (and therefore does not support mask aggregation), but can contain a limited number of filters. The driver uses the "objagg" library to perform the mask aggregation by passing it objects that consist of the filter's mask and whether the filter is to be inserted into the A-TCAM or the C-TCAM since filters in different TCAMs cannot share a mask. The set of created objects is dependent on the insertion order of the filters and is not necessarily optimal. Therefore, the driver will periodically ask the library to compute a more optimal set ("hints") by looking at all the existing objects. When the library asks the driver whether two objects can be aggregated the driver only compares the provided masks and ignores the A-TCAM / C-TCAM indication. This is the right thing to do since the goal is to move as many filters as possible to the A-TCAM. The driver also forbids two identical masks from being aggregated since this can only happen if one was intentionally put in the C-TCAM to avoid a conflict in the A-TCAM. The above can result in the following set of hints: H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta After getting the hints from the library the driver will start migrating filters from one region to another while consulting the computed hints and instructing the device to perform a lookup in both regions during the transition. Assuming a filter with mask X is being migrated into the A-TCAM in the new region, the hints lookup will return H1. Since H2 is the parent of H1, the library will try to find the object associated with it and create it if necessary in which case another hints lookup (recursive) will be performed. This hints lookup for {mask Y, A-TCAM} will either return H2 or H3 since the driver passes the library an object comparison function that ignores the A-TCAM / C-TCAM indication. This can eventually lead to nested objects which are not supported by the library [1]. Fix by removing the object comparison function from both the driver and the library as the driver was the only user. That way the lookup will only return exact matches. I do not have a reliable reproducer that can reproduce the issue in a timely manner, but before the fix the issue would reproduce in several minutes and with the fix it does not reproduce in over an hour. Note that the current usefulness of the hints is limited because they include the C-TCAM indication and represent aggregation that cannot actually happen. This will be addressed in net-next. [1] WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 Modules linked in: CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42 Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Call Trace: <TASK> __objagg_obj_get+0x2bb/0x580 objagg_obj_get+0xe/0x80 mlxsw_sp_acl_erp_mask_get+0xb5/0xf0 mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270 mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510 process_one_work+0x151/0x370
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 4dc09f6f260db3c4565a4ec52ba369393598f2fb (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 36a9996e020dd5aa325e0ecc55eb2328288ea6bb (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 9a5261a984bba4f583d966c550fa72c33ff3714e (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 25c6fd9648ad05da493a5d30881896a78a08b624 (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 0e59c2d22853266704e127915653598f7f104037 (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < fb5d4fc578e655d113f09565f6f047e15f7ab578 (git)
Affected: 9069a3817d82b01b3a55da382c774e3575946130 , < 97d833ceb27dc19f8777d63f90be4a27b5daeedf (git)
Create a notification for this product.
Linux Linux Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.4.282 , ≤ 5.4.* (semver)
Unaffected: 5.10.224 , ≤ 5.10.* (semver)
Unaffected: 5.15.165 , ≤ 5.15.* (semver)
Unaffected: 6.1.103 , ≤ 6.1.* (semver)
Unaffected: 6.6.44 , ≤ 6.6.* (semver)
Unaffected: 6.10.3 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:05:51.322073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:17.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:06:33.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c",
            "include/linux/objagg.h",
            "lib/objagg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4dc09f6f260db3c4565a4ec52ba369393598f2fb",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "36a9996e020dd5aa325e0ecc55eb2328288ea6bb",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "9a5261a984bba4f583d966c550fa72c33ff3714e",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "25c6fd9648ad05da493a5d30881896a78a08b624",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "0e59c2d22853266704e127915653598f7f104037",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "fb5d4fc578e655d113f09565f6f047e15f7ab578",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            },
            {
              "lessThan": "97d833ceb27dc19f8777d63f90be4a27b5daeedf",
              "status": "affected",
              "version": "9069a3817d82b01b3a55da382c774e3575946130",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c",
            "include/linux/objagg.h",
            "lib/objagg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.282",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.224",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.282",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.224",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.165",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.103",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter\u0027s mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -\u003e H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -\u003e H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \u003cTASK\u003e\n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:31:36.797Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e"
        },
        {
          "url": "https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578"
        },
        {
          "url": "https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf"
        }
      ],
      "title": "mlxsw: spectrum_acl_erp: Fix object nesting warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43880",
    "datePublished": "2024-08-21T00:06:32.562Z",
    "dateReserved": "2024-08-17T09:11:59.287Z",
    "dateUpdated": "2026-05-11T20:31:36.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-43880",
      "date": "2026-06-02",
      "epss": "0.00018",
      "percentile": "0.04745"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43880\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-21T01:15:12.213\",\"lastModified\":\"2025-11-03T22:18:15.883\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_erp: Fix object nesting warning\\n\\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\\ncontain more ACLs (i.e., tc filters), but the number of masks in each\\nregion (i.e., tc chain) is limited.\\n\\nIn order to mitigate the effects of the above limitation, the device\\nallows filters to share a single mask if their masks only differ in up\\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\\nnumber of masks being used (and therefore does not support mask\\naggregation), but can contain a limited number of filters.\\n\\nThe driver uses the \\\"objagg\\\" library to perform the mask aggregation by\\npassing it objects that consist of the filter\u0027s mask and whether the\\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\\ndifferent TCAMs cannot share a mask.\\n\\nThe set of created objects is dependent on the insertion order of the\\nfilters and is not necessarily optimal. Therefore, the driver will\\nperiodically ask the library to compute a more optimal set (\\\"hints\\\") by\\nlooking at all the existing objects.\\n\\nWhen the library asks the driver whether two objects can be aggregated\\nthe driver only compares the provided masks and ignores the A-TCAM /\\nC-TCAM indication. This is the right thing to do since the goal is to\\nmove as many filters as possible to the A-TCAM. The driver also forbids\\ntwo identical masks from being aggregated since this can only happen if\\none was intentionally put in the C-TCAM to avoid a conflict in the\\nA-TCAM.\\n\\nThe above can result in the following set of hints:\\n\\nH1: {mask X, A-TCAM} -\u003e H2: {mask Y, A-TCAM} // X is Y + delta\\nH3: {mask Y, C-TCAM} -\u003e H4: {mask Z, A-TCAM} // Y is Z + delta\\n\\nAfter getting the hints from the library the driver will start migrating\\nfilters from one region to another while consulting the computed hints\\nand instructing the device to perform a lookup in both regions during\\nthe transition.\\n\\nAssuming a filter with mask X is being migrated into the A-TCAM in the\\nnew region, the hints lookup will return H1. Since H2 is the parent of\\nH1, the library will try to find the object associated with it and\\ncreate it if necessary in which case another hints lookup (recursive)\\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\\nreturn H2 or H3 since the driver passes the library an object comparison\\nfunction that ignores the A-TCAM / C-TCAM indication.\\n\\nThis can eventually lead to nested objects which are not supported by\\nthe library [1].\\n\\nFix by removing the object comparison function from both the driver and\\nthe library as the driver was the only user. That way the lookup will\\nonly return exact matches.\\n\\nI do not have a reliable reproducer that can reproduce the issue in a\\ntimely manner, but before the fix the issue would reproduce in several\\nminutes and with the fix it does not reproduce in over an hour.\\n\\nNote that the current usefulness of the hints is limited because they\\ninclude the C-TCAM indication and represent aggregation that cannot\\nactually happen. This will be addressed in net-next.\\n\\n[1]\\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\\nModules linked in:\\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\\n[...]\\nCall Trace:\\n \u003cTASK\u003e\\n __objagg_obj_get+0x2bb/0x580\\n objagg_obj_get+0xe/0x80\\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: espectro_acl_erp: corrige la advertencia de anidamiento de objetos. Las ACL en Spectrum-2 y los ASIC m\u00e1s nuevos pueden residir en el TCAM algor\u00edtmico (A-TCAM) o en el TCAM de circuito ordinario (C-TCAM). El primero puede contener m\u00e1s ACL (es decir, filtros tc), pero el n\u00famero de m\u00e1scaras en cada regi\u00f3n (es decir, cadena tc) es limitado. Para mitigar los efectos de la limitaci\u00f3n anterior, el dispositivo permite que los filtros compartan una \u00fanica m\u00e1scara si sus m\u00e1scaras solo difieren en hasta 8 bits consecutivos. Por ejemplo, dst_ip/25 se puede representar usando dst_ip/24 con un delta de 1 bit. C-TCAM no tiene un l\u00edmite en la cantidad de m\u00e1scaras que se utilizan (y por lo tanto no admite la agregaci\u00f3n de m\u00e1scaras), pero puede contener una cantidad limitada de filtros. El controlador utiliza la librer\u00eda \\\"objagg\\\" para realizar la agregaci\u00f3n de m\u00e1scaras pas\u00e1ndole objetos que constan de la m\u00e1scara del filtro y si el filtro se insertar\u00e1 en la A-TCAM o en la C-TCAM, ya que los filtros en diferentes TCAM no pueden compartir una m\u00e1scara. El conjunto de objetos creados depende del orden de inserci\u00f3n de los filtros y no es necesariamente \u00f3ptimo. Por lo tanto, el controlador solicitar\u00e1 peri\u00f3dicamente a la librer\u00eda que calcule un conjunto m\u00e1s \u00f3ptimo (\\\"sugerencias\\\") observando todos los objetos existentes. Cuando la librer\u00eda pregunta al controlador si se pueden agregar dos objetos, el controlador solo compara las m\u00e1scaras proporcionadas e ignora la indicaci\u00f3n A-TCAM/C-TCAM. Esto es lo correcto ya que el objetivo es mover tantos filtros como sea posible a la A-TCAM. El driver tambi\u00e9n proh\u00edbe agregar dos m\u00e1scaras id\u00e9nticas, ya que esto solo puede suceder si una se coloc\u00f3 intencionalmente en la C-TCAM para evitar un conflicto en la A-TCAM. Lo anterior puede dar como resultado el siguiente conjunto de sugerencias: H1: {m\u00e1scara X, A-TCAM} -\u0026gt; H2: {m\u00e1scara Y, A-TCAM} // X es Y + delta H3: {m\u00e1scara Y, C-TCAM} -\u0026gt; H4: {m\u00e1scara Z, A-TCAM} // Y es Z + delta Despu\u00e9s de obtener las sugerencias de la librer\u00eda, el controlador comenzar\u00e1 a migrar filtros de una regi\u00f3n a otra mientras consulta las sugerencias calculadas e indica al dispositivo que realice una b\u00fasqueda. en ambas regiones durante la transici\u00f3n. Suponiendo que se est\u00e1 migrando un filtro con m\u00e1scara X a la A-TCAM en la nueva regi\u00f3n, la b\u00fasqueda de sugerencias devolver\u00e1 H1. Dado que H2 es el padre de H1, la librer\u00eda intentar\u00e1 encontrar el objeto asociado con \u00e9l y crearlo si es necesario, en cuyo caso se realizar\u00e1 otra b\u00fasqueda de sugerencias (recursiva). Esta b\u00fasqueda de sugerencias para {m\u00e1scara Y, A-TCAM} devolver\u00e1 H2 o H3 ya que el controlador pasa a la librer\u00eda una funci\u00f3n de comparaci\u00f3n de objetos que ignora la indicaci\u00f3n A-TCAM/C-TCAM. En \u00faltima instancia, esto puede conducir a objetos anidados que no son compatibles con la librer\u00eda [1]. Para solucionarlo, elimine la funci\u00f3n de comparaci\u00f3n de objetos tanto del controlador como de la librer\u00eda, ya que el controlador era el \u00fanico usuario. De esa forma, la b\u00fasqueda solo arrojar\u00e1 coincidencias exactas. No tengo un reproductor confiable que pueda reproducir el problema de manera oportuna, pero antes de solucionarlo, el problema se reproduc\u00eda en varios minutos y con la soluci\u00f3n no se reproduce en m\u00e1s de una hora. Tenga en cuenta que la utilidad actual de las sugerencias es limitada porque incluyen la indicaci\u00f3n C-TCAM y representan una agregaci\u00f3n que en realidad no puede ocurrir. Esto se abordar\u00e1 en net-next. [1] ADVERTENCIA: CPU: 0 PID: 153 en lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0 M\u00f3dulos vinculados en: CPU: 0 PID: 153 Comm: kworker/0:18 No contaminado 6.9.0-rc6-custom -g70fbc2c1c38b #42 Nombre del hardware: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018 Cola de trabajo: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0 [...] Seguimiento de llamadas: \u0026lt; TAREA\u0026gt; ---truncado----\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"5.4.282\",\"matchCriteriaId\":\"FF8FDC23-E162-4584-863E-E5FC0D64DF66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.224\",\"matchCriteriaId\":\"5CCEDF13-293D-4E64-B501-4409D0365AFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.165\",\"matchCriteriaId\":\"B4E2B568-3171-41DE-B519-F2B1A3600D94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.103\",\"matchCriteriaId\":\"E45EAC72-8329-4F99-8276-86AF9BB3496A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.44\",\"matchCriteriaId\":\"CC912330-6B41-4C6B-99AF-F3857FBACB6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.3\",\"matchCriteriaId\":\"92D388F2-1EAF-4CFA-AC06-5B26D762EA7D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:06:33.576Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T16:05:51.322073Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:22.586Z\"}}], \"cna\": {\"title\": \"mlxsw: spectrum_acl_erp: Fix object nesting warning\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"4dc09f6f260db3c4565a4ec52ba369393598f2fb\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"36a9996e020dd5aa325e0ecc55eb2328288ea6bb\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"9a5261a984bba4f583d966c550fa72c33ff3714e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"25c6fd9648ad05da493a5d30881896a78a08b624\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"0e59c2d22853266704e127915653598f7f104037\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"fb5d4fc578e655d113f09565f6f047e15f7ab578\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9069a3817d82b01b3a55da382c774e3575946130\", \"lessThan\": \"97d833ceb27dc19f8777d63f90be4a27b5daeedf\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c\", \"include/linux/objagg.h\", \"lib/objagg.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.1\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.1\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.282\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.224\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.165\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.103\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.44\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c\", \"include/linux/objagg.h\", \"lib/objagg.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4dc09f6f260db3c4565a4ec52ba369393598f2fb\"}, {\"url\": \"https://git.kernel.org/stable/c/36a9996e020dd5aa325e0ecc55eb2328288ea6bb\"}, {\"url\": \"https://git.kernel.org/stable/c/9a5261a984bba4f583d966c550fa72c33ff3714e\"}, {\"url\": \"https://git.kernel.org/stable/c/25c6fd9648ad05da493a5d30881896a78a08b624\"}, {\"url\": \"https://git.kernel.org/stable/c/0e59c2d22853266704e127915653598f7f104037\"}, {\"url\": \"https://git.kernel.org/stable/c/fb5d4fc578e655d113f09565f6f047e15f7ab578\"}, {\"url\": \"https://git.kernel.org/stable/c/97d833ceb27dc19f8777d63f90be4a27b5daeedf\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: spectrum_acl_erp: Fix object nesting warning\\n\\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\\ncontain more ACLs (i.e., tc filters), but the number of masks in each\\nregion (i.e., tc chain) is limited.\\n\\nIn order to mitigate the effects of the above limitation, the device\\nallows filters to share a single mask if their masks only differ in up\\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\\nnumber of masks being used (and therefore does not support mask\\naggregation), but can contain a limited number of filters.\\n\\nThe driver uses the \\\"objagg\\\" library to perform the mask aggregation by\\npassing it objects that consist of the filter\u0027s mask and whether the\\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\\ndifferent TCAMs cannot share a mask.\\n\\nThe set of created objects is dependent on the insertion order of the\\nfilters and is not necessarily optimal. Therefore, the driver will\\nperiodically ask the library to compute a more optimal set (\\\"hints\\\") by\\nlooking at all the existing objects.\\n\\nWhen the library asks the driver whether two objects can be aggregated\\nthe driver only compares the provided masks and ignores the A-TCAM /\\nC-TCAM indication. This is the right thing to do since the goal is to\\nmove as many filters as possible to the A-TCAM. The driver also forbids\\ntwo identical masks from being aggregated since this can only happen if\\none was intentionally put in the C-TCAM to avoid a conflict in the\\nA-TCAM.\\n\\nThe above can result in the following set of hints:\\n\\nH1: {mask X, A-TCAM} -\u003e H2: {mask Y, A-TCAM} // X is Y + delta\\nH3: {mask Y, C-TCAM} -\u003e H4: {mask Z, A-TCAM} // Y is Z + delta\\n\\nAfter getting the hints from the library the driver will start migrating\\nfilters from one region to another while consulting the computed hints\\nand instructing the device to perform a lookup in both regions during\\nthe transition.\\n\\nAssuming a filter with mask X is being migrated into the A-TCAM in the\\nnew region, the hints lookup will return H1. Since H2 is the parent of\\nH1, the library will try to find the object associated with it and\\ncreate it if necessary in which case another hints lookup (recursive)\\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\\nreturn H2 or H3 since the driver passes the library an object comparison\\nfunction that ignores the A-TCAM / C-TCAM indication.\\n\\nThis can eventually lead to nested objects which are not supported by\\nthe library [1].\\n\\nFix by removing the object comparison function from both the driver and\\nthe library as the driver was the only user. That way the lookup will\\nonly return exact matches.\\n\\nI do not have a reliable reproducer that can reproduce the issue in a\\ntimely manner, but before the fix the issue would reproduce in several\\nminutes and with the fix it does not reproduce in over an hour.\\n\\nNote that the current usefulness of the hints is limited because they\\ninclude the C-TCAM indication and represent aggregation that cannot\\nactually happen. This will be addressed in net-next.\\n\\n[1]\\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\\nModules linked in:\\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\\n[...]\\nCall Trace:\\n \u003cTASK\u003e\\n __objagg_obj_get+0x2bb/0x580\\n objagg_obj_get+0xe/0x80\\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\\n process_one_work+0x151/0x370\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.282\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.224\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.165\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.103\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.44\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.3\", \"versionStartIncluding\": \"5.1\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"5.1\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:31:36.797Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43880\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:31:36.797Z\", \"dateReserved\": \"2024-08-17T09:11:59.287Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-21T00:06:32.562Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.