CVE-2024-53057

In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552	Patch
https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816	Patch
https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b	Patch
https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24	Patch
https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba	Patch
https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b	Patch
https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20	Patch
https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.12:rc5::::::

History

22 Nov 2024, 17:55

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552 -~~	() https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552 - Patch
References	~~() https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816 -~~	() https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816 - Patch
References	~~() https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b -~~	() https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b - Patch
References	~~() https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24 -~~	() https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24 - Patch
References	~~() https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba -~~	() https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba - Patch
References	~~() https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b -~~	() https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b - Patch
References	~~() https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20 -~~	() https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20 - Patch
References	~~() https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e -~~	() https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e - Patch
CPE		cpe:2.3:o:linux:linux_kernel:6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.12:rc3::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: stop qdisc_tree_reduce_backlog en TC_H_ROOT En qdisc_tree_reduce_backlog, se supone que las Qdisc con el identificador principal ffff: son raíz o de entrada. Esta suposición es falsa ya que es válido crear qdiscs de salida con el identificador principal ffff: Budimir Markovic descubrió que para las qdisc como DRR que mantienen una lista de clases activa, provocará un UAF con un puntero de clase colgante. En 066a3b5b2346, la preocupación era evitar iterar sobre la qdisc de entrada ya que su padre es ella misma. La solución adecuada es detener cuando se alcanza el padre TC_H_ROOT porque la única forma de recuperar la entrada es cuando una jerarquía que no contiene un identificador principal ffff: llama a qdisc_lookup con TC_H_MAJ(TC_H_ROOT). En el escenario donde el ffff principal es una qdisc de salida en cualquiera de los niveles del árbol, las actualizaciones también se propagarán a TC_H_ROOT, donde luego la iteración debe detenerse. net/sched/sch_api.c \| 2 +- 1 archivo modificado, 1 inserción(+), 1 eliminación(-)
First Time		Linux Linux linux Kernel
CWE		CWE-416

19 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-19 18:15

Updated : 2024-11-22 17:55

NVD link : CVE-2024-53057

Mitre link : CVE-2024-53057

CVE.ORG link : CVE-2024-53057

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10