CVE-2024-46828

{"id": "CVE-2024-46828", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-09-27T13:15:15.220", "references": [{"url": "https://git.kernel.org/stable/c/4a4eeefa514db570be025ab46d779af180e2c9bb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/546ea84d07e3e324644025e2aae2d12ea4c5896e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/549e407569e08459d16122341d332cb508024094", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7725152b54d295b7da5e34c2f419539b30d017bd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cde71a5677971f4f1b69b25e854891dbe78066a4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4a9039a7b3d8005b90c7b1a55a306444f0e5447", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7c01c0714c04431b5e18cf17a9ea68a553d1c3c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: fix bulk flow accounting logic for host fairness\n\nIn sch_cake, we keep track of the count of active bulk flows per host,\nwhen running in dst/src host fairness mode, which is used as the\nround-robin weight when iterating through flows. The count of active\nbulk flows is updated whenever a flow changes state.\n\nThis has a peculiar interaction with the hash collision handling: when a\nhash collision occurs (after the set-associative hashing), the state of\nthe hash bucket is simply updated to match the new packet that collided,\nand if host fairness is enabled, that also means assigning new per-host\nstate to the flow. For this reason, the bulk flow counters of the\nhost(s) assigned to the flow are decremented, before new state is\nassigned (and the counters, which may not belong to the same host\nanymore, are incremented again).\n\nBack when this code was introduced, the host fairness mode was always\nenabled, so the decrement was unconditional. When the configuration\nflags were introduced the *increment* was made conditional, but\nthe *decrement* was not. Which of course can lead to a spurious\ndecrement (and associated wrap-around to U16_MAX).\n\nAFAICT, when host fairness is disabled, the decrement and wrap-around\nhappens as soon as a hash collision occurs (which is not that common in\nitself, due to the set-associative hashing). However, in most cases this\nis harmless, as the value is only used when host fairness mode is\nenabled. So in order to trigger an array overflow, sch_cake has to first\nbe configured with host fairness disabled, and while running in this\nmode, a hash collision has to occur to cause the overflow. Then, the\nqdisc has to be reconfigured to enable host fairness, which leads to the\narray out-of-bounds because the wrapped-around value is retained and\nused as an array index. It seems that syzbot managed to trigger this,\nwhich is quite impressive in its own right.\n\nThis patch fixes the issue by introducing the same conditional check on\ndecrement as is used on increment.\n\nThe original bug predates the upstreaming of cake, but the commit listed\nin the Fixes tag touched that code, meaning that this patch won't apply\nbefore that."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched: sch_cake: arregla la l\u00f3gica de contabilidad de flujo masivo para la equidad del host En sch_cake, hacemos un seguimiento del recuento de flujos masivos activos por host, cuando se ejecuta en modo de equidad de host dst/src, que se utiliza como el peso round-robin cuando se itera a trav\u00e9s de flujos. El recuento de flujos masivos activos se actualiza siempre que un flujo cambia de estado. Esto tiene una interacci\u00f3n peculiar con el manejo de colisiones de hash: cuando ocurre una colisi\u00f3n de hash (despu\u00e9s del hash asociativo de conjuntos), el estado del dep\u00f3sito de hash simplemente se actualiza para que coincida con el nuevo paquete que colision\u00f3, y si la equidad del host est\u00e1 habilitada, eso tambi\u00e9n significa asignar un nuevo estado por host al flujo. Por este motivo, los contadores de flujo masivo de los host asignados al flujo se decrementan, antes de que se asigne un nuevo estado (y los contadores, que pueden no pertenecer m\u00e1s al mismo host, se incrementan nuevamente). Cuando se introdujo este c\u00f3digo, el modo de equidad del host siempre estaba habilitado, por lo que la disminuci\u00f3n era incondicional. Cuando se introdujeron los indicadores de configuraci\u00f3n, el *incremento* se hizo condicional, pero el *decremento* no. Lo que, por supuesto, puede conducir a un decremento espurio (y un retorno asociado a U16_MAX). AFAICT, cuando la equidad del host est\u00e1 deshabilitada, la disminuci\u00f3n y el retorno ocurren tan pronto como ocurre una colisi\u00f3n de hash (lo que no es tan com\u00fan en s\u00ed mismo, debido al hash asociativo de conjuntos). Sin embargo, en la mayor\u00eda de los casos esto es inofensivo, ya que el valor solo se usa cuando el modo de equidad del host est\u00e1 habilitado. Entonces, para activar un desbordamiento de matriz, sch_cake primero debe configurarse con la equidad del host deshabilitada y, mientras se ejecuta en este modo, debe ocurrir una colisi\u00f3n de hash para causar el desbordamiento. Luego, la qdisc debe reconfigurarse para habilitar la equidad del host, lo que lleva a que la matriz est\u00e9 fuera de los l\u00edmites porque el valor de retorno se conserva y se usa como un \u00edndice de matriz. Parece que syzbot logr\u00f3 activar esto, lo que es bastante impresionante en s\u00ed mismo. Este parche corrige el problema introduciendo la misma verificaci\u00f3n condicional en la disminuci\u00f3n que se usa en el incremento. El error original es anterior a la actualizaci\u00f3n de Cake, pero el commit que aparece en la etiqueta de correcciones abord\u00f3 ese c\u00f3digo, lo que significa que este parche no se aplicar\u00e1 antes de esa fecha."}], "lastModified": "2024-11-21T15:02:20.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6215D739-B1A0-4E74-A311-9BF8E96145E6", "versionEndExcluding": "5.4.284", "versionStartIncluding": "5.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99182B6F-D005-4EA0-A29E-EE793EAF5494", "versionEndExcluding": "5.10.226", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA943118-D4CB-4C23-A051-06993A503CC8", "versionEndExcluding": "5.15.167", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD34EEF6-E0F8-42D6-BF92-8EB851A6ADEC", "versionEndExcluding": "6.1.110", "versionStartIncluding": "6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25B5F323-C9C2-4F67-BF42-0C5BDD860576", "versionEndExcluding": "6.6.51", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D16659A9-BECD-4E13-8994-B096652762E2", "versionEndExcluding": "6.10.10", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8383ABF-1457-401F-9B61-EE50F4C61F4F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B77A9280-37E6-49AD-B559-5B23A3B1DC3D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}