APPLIED: [SRU][J/N/O][PATCH 0/1] CVE-2024-53057
Roxana Nicolescu
roxana.nicolescu at canonical.com
Thu Nov 28 13:43:29 UTC 2024
On 26/11/2024 00:34, Ian Whitfield wrote:
> [Impact]
>
> In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
> to be either root or ingress. This assumption is bogus since it's valid
> to create egress qdiscs with major handle ffff:
> Budimir Markovic found that for qdiscs like DRR that maintain an active
> class list, it will cause a UAF with a dangling class pointer.
>
> In 066a3b5b2346, the concern was to avoid iterating over the ingress
> qdisc since its parent is itself. The proper fix is to stop when parent
> TC_H_ROOT is reached because the only way to retrieve ingress is when a
> hierarchy which does not contain a ffff: major handle call into
> qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
>
> In the scenario where major ffff: is an egress qdisc in any of the tree
> levels, the updates will also propagate to TC_H_ROOT, which then the
> iteration must stop.
>
> [Backport]
>
> Focal was skipped due to already having this fix on-tree.
>
> [Fix]
>
> Oracular: backport
> Noble: backport
> Jammy: backport
> Focal: backported previously
> Bionic: sent to ESM ML
> Xenial: sent to ESM ML
> Trusty: sent to ESM ML
>
> [Test Case]
>
> Compile and boot tested
>
> [Where problems could occur]
>
> This fix affects those who use the linux packet scheduler for their
> networking. An issue with this fix would be visible to the user as
> unexpected networking behavior or a system crash due to use-after-free.
>
> Pedro Tammela (1):
> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
>
> net/sched/sch_api.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Applied to oracular:linux, noble:linux, jammy:linux master-next
branches. Thanks!
More information about the kernel-team
mailing list