In the Linux kernel, a critical vulnerability was discovered and resolved in the network scheduling subsystem (net/sched) that could lead to a Use-After-Free (UAF) situation and potentially compromise system security. This post will discuss the details of this vulnerability (CVE-2024-53057), along with the code snippet addressing the issue and links to the original references.
Linux kernel developer Budimir Markovic identified this vulnerability in the qdisc_tree_reduce_backlog function. In this function, Qdiscs (queuing discipline objects responsible for managing packet queues in the network subsystem) with major handle ffff: were assumed to be either root or ingress. However, this assumption was found to be false, as it is valid to create egress qdiscs with major handle ffff: as well. For qdiscs like DRR (Deficit Round Robin) that maintain an active class list, this led to a UAF with a dangling class pointer, which can have severe security implications.
Previously, in the commit 066a3b5b2346, the primary concern was to avoid iterating over the ingress qdisc since its parent was itself. The proper fix, as implemented now, is to stop the iteration when parent TC_H_ROOT is reached. This is because the only way to retrieve an ingress qdisc is when a hierarchy that does not contain a ffff: major handle calls into qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
When major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop.
The following code snippet demonstrates the change made to resolve the issue
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
This vulnerability, designated as CVE-2024-53057, has now been resolved in the Linux kernel to prevent potential security risks.
For additional information and original references, please refer to the following resources
1. Linux Kernel GIT source tree commit
2. Budimir Markovic's discovery information
3. DRR qdisc explanation
Timeline
Published on: 11/19/2024 18:15:25 UTC
Last modified on: 12/19/2024 09:38:09 UTC