APPLIED: [SRU][N][PATCH 0/1] CVE-2024-45016

Stefan Bader stefan.bader at canonical.com
Wed Sep 25 12:00:15 UTC 2024 

On 24.09.24 17:45, Ian Whitfield wrote:
> [Impact]
> 
> netem: fix return value if duplicate enqueue fails
> 
> There is a bug in netem_enqueue() introduced by
> commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
> that can lead to a use-after-free.
> 
> This commit made netem_enqueue() always return NET_XMIT_SUCCESS
> when a packet is duplicated, which can cause the parent qdisc's q.qlen
> to be mistakenly incremented. When this happens qlen_notify() may be
> skipped on the parent during destruction, leaving a dangling pointer
> for some classful qdiscs like DRR.
> 
> There are two ways for the bug happen:
> 
> - If the duplicated packet is dropped by rootq->enqueue() and then
>    the original packet is also dropped.
> - If rootq->enqueue() sends the duplicated packet to a different qdisc
>    and the original packet is dropped.
> 
> In both cases NET_XMIT_SUCCESS is returned even though no packets
> are enqueued at the netem qdisc.
> 
> The fix is to defer the enqueue of the duplicate packet until after
> the original packet has been guaranteed to return NET_XMIT_SUCCESS.
> 
> [Backport]
> 
> The fix was cleanly applied.
> 
> [Fix]
> 
> Noble:  backport
> Jammy:  fixed via stable
> Focal:  fixed via stable
> Bionic: fix sent to esm ML
> Xenial: not affected
> Trusty: not affected
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use netem, the Linux network emulator.
> An issue with this fix would be visible to user via a use-after-free
> under specific conditions, leading to a system crash or unexpected
> behavior.
> 
> 
> Stephen Hemminger (1):
>    netem: fix return value if duplicate enqueue fails
> 
>   net/sched/sch_netem.c | 47 ++++++++++++++++++++++++++-----------------
>   1 file changed, 29 insertions(+), 18 deletions(-)
> 

Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/a2b923d0/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/a2b923d0/attachment-0001.sig>

More information about the kernel-team mailing list