ACK: [SRU][N][PATCH 0/1] CVE-2024-45016

Tue Sep 24 18:29:25 UTC 2024

Acked-by: Magali Lemes <magali.lemes at canonical.com>

On 24/09/2024 12:45, Ian Whitfield wrote:
> [Impact]
> 
> netem: fix return value if duplicate enqueue fails
> 
> There is a bug in netem_enqueue() introduced by
> commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
> that can lead to a use-after-free.
> 
> This commit made netem_enqueue() always return NET_XMIT_SUCCESS
> when a packet is duplicated, which can cause the parent qdisc's q.qlen
> to be mistakenly incremented. When this happens qlen_notify() may be
> skipped on the parent during destruction, leaving a dangling pointer
> for some classful qdiscs like DRR.
> 
> There are two ways for the bug happen:
> 
> - If the duplicated packet is dropped by rootq->enqueue() and then
>    the original packet is also dropped.
> - If rootq->enqueue() sends the duplicated packet to a different qdisc
>    and the original packet is dropped.
> 
> In both cases NET_XMIT_SUCCESS is returned even though no packets
> are enqueued at the netem qdisc.
> 
> The fix is to defer the enqueue of the duplicate packet until after
> the original packet has been guaranteed to return NET_XMIT_SUCCESS.
> 
> [Backport]
> 
> The fix was cleanly applied.
> 
> [Fix]
> 
> Noble:  backport
> Jammy:  fixed via stable
> Focal:  fixed via stable
> Bionic: fix sent to esm ML
> Xenial: not affected
> Trusty: not affected
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use netem, the Linux network emulator.
> An issue with this fix would be visible to user via a use-after-free
> under specific conditions, leading to a system crash or unexpected
> behavior.
> 
> 
> Stephen Hemminger (1):
>    netem: fix return value if duplicate enqueue fails
> 
>   net/sched/sch_netem.c | 47 ++++++++++++++++++++++++++-----------------
>   1 file changed, 29 insertions(+), 18 deletions(-)
>