CVE-2024-56717: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT field equal to the CPU port module index in the Analyzer block (ocelot->num_phys_ports). The blamed commit copied the ocelot_ifh_set_basic() call incorrectly from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling with "x", it calls with BIT_ULL(x), but the field is not a port mask, but rather a single port index. [ side note: this is the technical debt of code duplication :( ] The error used to be silent and doesn't appear to have other user-visible manifestations, but with new changes in the packing library, it now fails loudly as follows: ------------[ cut here ]------------ Cannot store 0x40 inside bits 46-43 - will truncate sja1105 spi2.0: xmit timed out WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 sja1105 spi2.0: timed out polling for tstamp CPU: 1 UID: 0 PID: 102 Comm: felix_xmit Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 Call trace: __pack+0x90/0x198 (P) __pack+0x90/0x198 (L) packing+0x78/0x98 ocelot_ifh_set_basic+0x260/0x368 ocelot_port_inject_frame+0xa8/0x250 felix_port_deferred_xmit+0x14c/0x258 kthread_worker_fn+0x134/0x350 kthread+0x114/0x138 The code path pertains to the ocelot switchdev driver and to the felix secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. The messenger (packing) is not really to blame, so fix the original commit instead.
AI Analysis
Technical Summary
CVE-2024-56717 is a vulnerability identified in the Linux kernel specifically affecting the ocelot switchdev driver, which is part of the Distributed Switch Architecture (DSA) subsystem. The issue arises from an incorrect handling of the IFH (Internal Frame Header) SRC_PORT field in the function ocelot_ifh_set_basic(). The SRC_PORT field is intended to represent a single port index corresponding to the CPU port module index within the Analyzer block (ocelot->num_phys_ports). However, due to a coding error introduced by copying the function call incorrectly, the SRC_PORT field was set using a bitmask (BIT_ULL(x)) rather than a single port index value. This discrepancy leads to improper packet injection by the CPU, causing silent errors previously but now resulting in explicit failures due to recent changes in the packing library used for frame construction. The vulnerability manifests as runtime warnings and errors such as "Cannot store 0x40 inside bits 46-43 - will truncate" and transmit timeouts on the sja1105 SPI interface, indicating that the packing of the IFH fields is failing. The root cause is a mismatch between the expected data format (a single port index) and the actual data provided (a port mask), leading to truncation and transmission failures. This bug affects the ocelot-8021q tagging protocol and the felix secondary DSA tag protocol, both used in network switching hardware that relies on the Linux kernel's DSA framework. While the vulnerability does not appear to have direct user-visible impacts or known exploits in the wild, it can cause network packet transmission failures and instability in systems using affected versions of the Linux kernel with the ocelot driver. The problem stems from technical debt and code duplication errors in the driver codebase. The fix involves correcting the function call to pass the correct port index value rather than a bitmask, thereby restoring proper IFH field packing and packet injection behavior.
Potential Impact
For European organizations, the impact of CVE-2024-56717 primarily concerns those deploying Linux-based network infrastructure that utilizes the ocelot switchdev driver and related DSA tagging protocols. This includes network equipment manufacturers, data centers, telecommunications providers, and enterprises running Linux on hardware platforms with ocelot-based switching ASICs (such as certain Marvell switches). The vulnerability can lead to packet transmission failures, network instability, and degraded performance, potentially disrupting critical network services. Although no direct remote code execution or privilege escalation is indicated, the loss of network availability or reliability can affect business operations, especially in environments requiring high network uptime and low latency. Given that the issue causes kernel warnings and transmit timeouts, it may also increase operational overhead for system administrators who need to diagnose and mitigate network anomalies. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or cascading failures in complex network topologies. Organizations relying on Linux kernel versions containing the affected commits should prioritize patching to maintain network stability and security compliance.
Mitigation Recommendations
To mitigate CVE-2024-56717, European organizations should: 1. Identify and inventory Linux systems running kernel versions containing the affected commits related to the ocelot driver (notably versions around 6.13.0-rc1 and similar hashes). 2. Apply the official Linux kernel patches that correct the ocelot_ifh_set_basic() function call to use the correct single port index instead of a bitmask. Monitoring the Linux kernel mailing lists and repositories for the backported fix in stable releases is critical. 3. For systems where immediate patching is not feasible, consider disabling or avoiding the use of the ocelot switchdev driver or related DSA tagging protocols if possible, to prevent triggering the faulty code path. 4. Monitor kernel logs for the specific error messages related to packing failures and transmit timeouts as early indicators of this vulnerability manifesting. 5. Engage with hardware vendors to confirm firmware and driver compatibility and updates, ensuring that network switching hardware is supported with patched kernel versions. 6. Incorporate this vulnerability into vulnerability management and patching workflows, emphasizing network infrastructure components that rely on Linux kernel DSA drivers. These steps go beyond generic advice by focusing on the specific driver and kernel versions, log monitoring, and hardware vendor coordination.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2024-56717: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic() Packets injected by the CPU should have a SRC_PORT field equal to the CPU port module index in the Analyzer block (ocelot->num_phys_ports). The blamed commit copied the ocelot_ifh_set_basic() call incorrectly from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling with "x", it calls with BIT_ULL(x), but the field is not a port mask, but rather a single port index. [ side note: this is the technical debt of code duplication :( ] The error used to be silent and doesn't appear to have other user-visible manifestations, but with new changes in the packing library, it now fails loudly as follows: ------------[ cut here ]------------ Cannot store 0x40 inside bits 46-43 - will truncate sja1105 spi2.0: xmit timed out WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 sja1105 spi2.0: timed out polling for tstamp CPU: 1 UID: 0 PID: 102 Comm: felix_xmit Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 Call trace: __pack+0x90/0x198 (P) __pack+0x90/0x198 (L) packing+0x78/0x98 ocelot_ifh_set_basic+0x260/0x368 ocelot_port_inject_frame+0xa8/0x250 felix_port_deferred_xmit+0x14c/0x258 kthread_worker_fn+0x134/0x350 kthread+0x114/0x138 The code path pertains to the ocelot switchdev driver and to the felix secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. The messenger (packing) is not really to blame, so fix the original commit instead.
AI-Powered Analysis
Technical Analysis
CVE-2024-56717 is a vulnerability identified in the Linux kernel specifically affecting the ocelot switchdev driver, which is part of the Distributed Switch Architecture (DSA) subsystem. The issue arises from an incorrect handling of the IFH (Internal Frame Header) SRC_PORT field in the function ocelot_ifh_set_basic(). The SRC_PORT field is intended to represent a single port index corresponding to the CPU port module index within the Analyzer block (ocelot->num_phys_ports). However, due to a coding error introduced by copying the function call incorrectly, the SRC_PORT field was set using a bitmask (BIT_ULL(x)) rather than a single port index value. This discrepancy leads to improper packet injection by the CPU, causing silent errors previously but now resulting in explicit failures due to recent changes in the packing library used for frame construction. The vulnerability manifests as runtime warnings and errors such as "Cannot store 0x40 inside bits 46-43 - will truncate" and transmit timeouts on the sja1105 SPI interface, indicating that the packing of the IFH fields is failing. The root cause is a mismatch between the expected data format (a single port index) and the actual data provided (a port mask), leading to truncation and transmission failures. This bug affects the ocelot-8021q tagging protocol and the felix secondary DSA tag protocol, both used in network switching hardware that relies on the Linux kernel's DSA framework. While the vulnerability does not appear to have direct user-visible impacts or known exploits in the wild, it can cause network packet transmission failures and instability in systems using affected versions of the Linux kernel with the ocelot driver. The problem stems from technical debt and code duplication errors in the driver codebase. The fix involves correcting the function call to pass the correct port index value rather than a bitmask, thereby restoring proper IFH field packing and packet injection behavior.
Potential Impact
For European organizations, the impact of CVE-2024-56717 primarily concerns those deploying Linux-based network infrastructure that utilizes the ocelot switchdev driver and related DSA tagging protocols. This includes network equipment manufacturers, data centers, telecommunications providers, and enterprises running Linux on hardware platforms with ocelot-based switching ASICs (such as certain Marvell switches). The vulnerability can lead to packet transmission failures, network instability, and degraded performance, potentially disrupting critical network services. Although no direct remote code execution or privilege escalation is indicated, the loss of network availability or reliability can affect business operations, especially in environments requiring high network uptime and low latency. Given that the issue causes kernel warnings and transmit timeouts, it may also increase operational overhead for system administrators who need to diagnose and mitigate network anomalies. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or cascading failures in complex network topologies. Organizations relying on Linux kernel versions containing the affected commits should prioritize patching to maintain network stability and security compliance.
Mitigation Recommendations
To mitigate CVE-2024-56717, European organizations should: 1. Identify and inventory Linux systems running kernel versions containing the affected commits related to the ocelot driver (notably versions around 6.13.0-rc1 and similar hashes). 2. Apply the official Linux kernel patches that correct the ocelot_ifh_set_basic() function call to use the correct single port index instead of a bitmask. Monitoring the Linux kernel mailing lists and repositories for the backported fix in stable releases is critical. 3. For systems where immediate patching is not feasible, consider disabling or avoiding the use of the ocelot switchdev driver or related DSA tagging protocols if possible, to prevent triggering the faulty code path. 4. Monitor kernel logs for the specific error messages related to packing failures and transmit timeouts as early indicators of this vulnerability manifesting. 5. Engage with hardware vendors to confirm firmware and driver compatibility and updates, ensuring that network switching hardware is supported with patched kernel versions. 6. Incorporate this vulnerability into vulnerability management and patching workflows, emphasizing network infrastructure components that rely on Linux kernel DSA drivers. These steps go beyond generic advice by focusing on the specific driver and kernel versions, log monitoring, and hardware vendor coordination.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.858Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd184
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:42:28 PM
Last updated: 7/30/2025, 11:58:01 PM
Views: 9
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.