In the Linux kernel, the following vulnerability has been resolved:
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b2346, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
References
Configurations
Configuration 1 (hide)
|
History
22 Nov 2024, 17:55
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552 - Patch | |
References | () https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816 - Patch | |
References | () https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b - Patch | |
References | () https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24 - Patch | |
References | () https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba - Patch | |
References | () https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b - Patch | |
References | () https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20 - Patch | |
References | () https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
CWE | CWE-416 | |
Summary |
|
|
First Time |
Linux linux Kernel
Linux |
|
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:* |
19 Nov 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-19 18:15
Updated : 2024-11-22 17:55
NVD link : CVE-2024-53057
Mitre link : CVE-2024-53057
CVE.ORG link : CVE-2024-53057
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free