cve-2024-41010
Vulnerability from cvelistv5
Published
2024-07-17 06:10
Modified
2024-12-19 09:09
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix too early release of tcx_entry Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. Create and graft a clsact qdisc. This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. Finally, the network namespace is closed. This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. What can be observed, at step 2 above, the counter transitions from 0->1, at step [a] from 1->2 (in order for the miniq object to remain active during the replacement), then in [b] from 2->1 and finally [c] 1->0 with the eventual release. The reference counter in general ranges from [0,2] and it does not need to be atomic since all access to the counter is protected by the rtnl mutex. With this in place, there is no longer a UAF happening and the tcx_entry is freed at the correct time.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404eMailing List, Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2aMailing List, Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857Mailing List, Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404eMailing List, Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2aMailing List, Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857Mailing List, Patch
Impacted products
Vendor Product Version
Linux Linux Version: e420bed025071a623d2720a92bc2245c84757ecb
Version: e420bed025071a623d2720a92bc2245c84757ecb
Version: e420bed025071a623d2720a92bc2245c84757ecb
 Create a notification for this product.
   Linux Linux Version: 6.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:55.990Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41010",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:25:09.492833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:06.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/tcx.h",
            "net/sched/sch_ingress.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "230bb13650b0f186f540500fd5f5f7096a822a2a",
              "status": "affected",
              "version": "e420bed025071a623d2720a92bc2245c84757ecb",
              "versionType": "git"
            },
            {
              "lessThan": "f61ecf1bd5b562ebfd7d430ccb31619857e80857",
              "status": "affected",
              "version": "e420bed025071a623d2720a92bc2245c84757ecb",
              "versionType": "git"
            },
            {
              "lessThan": "1cb6f0bae50441f4b4b32a28315853b279c7404e",
              "status": "affected",
              "version": "e420bed025071a623d2720a92bc2245c84757ecb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/tcx.h",
            "net/sched/sch_ingress.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix too early release of tcx_entry\n\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\nan issue that the tcx_entry can be released too early leading to a use\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\nshared tc block is later replaced by another ingress or clsact instance.\n\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\n\n  1. A network namespace is created\n  2. An ingress qdisc is created. This allocates a tcx_entry, and\n     \u0026tcx_entry-\u003eminiq is stored in the qdisc\u0027s miniqp-\u003ep_miniq. At the\n     same time, a tcf block with index 1 is created.\n  3. chain0 is attached to the tcf block. chain0 must be connected to\n     the block linked to the ingress qdisc to later reach the function\n     tcf_chain0_head_change_cb_del() which triggers the UAF.\n  4. Create and graft a clsact qdisc. This causes the ingress qdisc\n     created in step 1 to be removed, thus freeing the previously linked\n     tcx_entry:\n\n     rtnetlink_rcv_msg()\n       =\u003e tc_modify_qdisc()\n         =\u003e qdisc_create()\n           =\u003e clsact_init() [a]\n         =\u003e qdisc_graft()\n           =\u003e qdisc_destroy()\n             =\u003e __qdisc_destroy()\n               =\u003e ingress_destroy() [b]\n                 =\u003e tcx_entry_free()\n                   =\u003e kfree_rcu() // tcx_entry freed\n\n  5. Finally, the network namespace is closed. This registers the\n     cleanup_net worker, and during the process of releasing the\n     remaining clsact qdisc, it accesses the tcx_entry that was\n     already freed in step 4, causing the UAF to occur:\n\n     cleanup_net()\n       =\u003e ops_exit_list()\n         =\u003e default_device_exit_batch()\n           =\u003e unregister_netdevice_many()\n             =\u003e unregister_netdevice_many_notify()\n               =\u003e dev_shutdown()\n                 =\u003e qdisc_put()\n                   =\u003e clsact_destroy() [c]\n                     =\u003e tcf_block_put_ext()\n                       =\u003e tcf_chain0_head_change_cb_del()\n                         =\u003e tcf_chain_head_change_item()\n                           =\u003e clsact_chain_head_change()\n                             =\u003e mini_qdisc_pair_swap() // UAF\n\nThere are also other variants, the gist is to add an ingress (or clsact)\nqdisc with a specific shared block, then to replace that qdisc, waiting\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\nthe current active qdisc\u0027s miniq one way or another.\n\nThe correct fix is to turn the miniq_active boolean into a counter. What\ncan be observed, at step 2 above, the counter transitions from 0-\u003e1, at\nstep [a] from 1-\u003e2 (in order for the miniq object to remain active during\nthe replacement), then in [b] from 2-\u003e1 and finally [c] 1-\u003e0 with the\neventual release. The reference counter in general ranges from [0,2] and\nit does not need to be atomic since all access to the counter is protected\nby the rtnl mutex. With this in place, there is no longer a UAF happening\nand the tcx_entry is freed at the correct time."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:09:59.908Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e"
        }
      ],
      "title": "bpf: Fix too early release of tcx_entry",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-41010",
    "datePublished": "2024-07-17T06:10:12.051Z",
    "dateReserved": "2024-07-12T12:17:45.610Z",
    "dateUpdated": "2024-12-19T09:09:59.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-41010\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-17T07:15:02.183\",\"lastModified\":\"2024-11-21T09:32:03.607\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix too early release of tcx_entry\\n\\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\\nan issue that the tcx_entry can be released too early leading to a use\\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\\nshared tc block is later replaced by another ingress or clsact instance.\\n\\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\\n\\n  1. A network namespace is created\\n  2. An ingress qdisc is created. This allocates a tcx_entry, and\\n     \u0026tcx_entry-\u003eminiq is stored in the qdisc\u0027s miniqp-\u003ep_miniq. At the\\n     same time, a tcf block with index 1 is created.\\n  3. chain0 is attached to the tcf block. chain0 must be connected to\\n     the block linked to the ingress qdisc to later reach the function\\n     tcf_chain0_head_change_cb_del() which triggers the UAF.\\n  4. Create and graft a clsact qdisc. This causes the ingress qdisc\\n     created in step 1 to be removed, thus freeing the previously linked\\n     tcx_entry:\\n\\n     rtnetlink_rcv_msg()\\n       =\u003e tc_modify_qdisc()\\n         =\u003e qdisc_create()\\n           =\u003e clsact_init() [a]\\n         =\u003e qdisc_graft()\\n           =\u003e qdisc_destroy()\\n             =\u003e __qdisc_destroy()\\n               =\u003e ingress_destroy() [b]\\n                 =\u003e tcx_entry_free()\\n                   =\u003e kfree_rcu() // tcx_entry freed\\n\\n  5. Finally, the network namespace is closed. This registers the\\n     cleanup_net worker, and during the process of releasing the\\n     remaining clsact qdisc, it accesses the tcx_entry that was\\n     already freed in step 4, causing the UAF to occur:\\n\\n     cleanup_net()\\n       =\u003e ops_exit_list()\\n         =\u003e default_device_exit_batch()\\n           =\u003e unregister_netdevice_many()\\n             =\u003e unregister_netdevice_many_notify()\\n               =\u003e dev_shutdown()\\n                 =\u003e qdisc_put()\\n                   =\u003e clsact_destroy() [c]\\n                     =\u003e tcf_block_put_ext()\\n                       =\u003e tcf_chain0_head_change_cb_del()\\n                         =\u003e tcf_chain_head_change_item()\\n                           =\u003e clsact_chain_head_change()\\n                             =\u003e mini_qdisc_pair_swap() // UAF\\n\\nThere are also other variants, the gist is to add an ingress (or clsact)\\nqdisc with a specific shared block, then to replace that qdisc, waiting\\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\\nthe current active qdisc\u0027s miniq one way or another.\\n\\nThe correct fix is to turn the miniq_active boolean into a counter. What\\ncan be observed, at step 2 above, the counter transitions from 0-\u003e1, at\\nstep [a] from 1-\u003e2 (in order for the miniq object to remain active during\\nthe replacement), then in [b] from 2-\u003e1 and finally [c] 1-\u003e0 with the\\neventual release. The reference counter in general ranges from [0,2] and\\nit does not need to be atomic since all access to the counter is protected\\nby the rtnl mutex. With this in place, there is no longer a UAF happening\\nand the tcx_entry is freed at the correct time.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: Se solucion\u00f3 el lanzamiento demasiado temprano de tcx_entry Pedro Pinto y m\u00e1s tarde, de forma independiente, tambi\u00e9n Hyunwoo Kim y Wongi Lee informaron un problema por el cual tcx_entry se puede lanzar demasiado pronto, lo que lleva a un uso posterior a la liberaci\u00f3n (UAF ) cuando una qdisc ingress o clsact antigua activa con un bloque tc compartido se reemplaza posteriormente por otra instancia de ingress o clsact. Esencialmente, la secuencia para activar la UAF (un ejemplo) puede ser la siguiente: 1. Se crea un espacio de nombres de red. 2. Se crea una qdisc de entrada. Esto asigna un tcx_entry, y \u0026amp;tcx_entry-\u0026gt;miniq se almacena en el miniqp-\u0026gt;p_miniq de la qdisc. Al mismo tiempo, se crea un bloque tcf con \u00edndice 1. 3. chain0 est\u00e1 adjunta al bloque tcf. chain0 debe estar conectado al bloque vinculado a la qdisc de ingreso para luego llegar a la funci\u00f3n tcf_chain0_head_change_cb_del() que activa la UAF. 4. Cree e injerte una qdisc clsact. Esto hace que se elimine la qdisc de entrada creada en el paso 1, liberando as\u00ed la tcx_entry previamente vinculada: rtnetlink_rcv_msg() =\u0026gt; tc_modify_qdisc() =\u0026gt; qdisc_create() =\u0026gt; clsact_init() [a] =\u0026gt; qdisc_graft() =\u0026gt; qdisc_destroy( ) =\u0026gt; __qdisc_destroy() =\u0026gt; ingress_destroy() [b] =\u0026gt; tcx_entry_free() =\u0026gt; kfree_rcu() // tcx_entry liberado 5. Finalmente, se cierra el espacio de nombres de la red. Esto registra el trabajador cleanup_net y, durante el proceso de liberaci\u00f3n de la qdisc clsact restante, accede a tcx_entry que ya se liber\u00f3 en el paso 4, lo que provoca que se produzca la UAF: cleanup_net() =\u0026gt; ops_exit_list() =\u0026gt; default_device_exit_batch() =\u0026gt; unregister_netdevice_many() =\u0026gt; unregister_netdevice_many_notify() =\u0026gt; dev_shutdown() =\u0026gt; qdisc_put() =\u0026gt; clsact_destroy() [c] =\u0026gt; tcf_block_put_ext() =\u0026gt; tcf_chain0_head_change_cb_del() =\u0026gt; tcf_chain_head_change_item() =\u0026gt; clsact_chain_head_change() =\u0026gt; mini_qdisc_pair _intercambiar( ) // UAF Tambi\u00e9n hay otras variantes, lo esencial es agregar una qdisc de ingreso (o clsact) con un bloque compartido espec\u00edfico, luego reemplazar esa qdisc, esperar a que se ejecute tcx_entry kfree_rcu() y posteriormente acceder al activo actual miniq de qdisc de una forma u otra. La soluci\u00f3n correcta es convertir el booleano miniq_active en un contador. Lo que se puede observar, en el paso 2 anterior, el contador pasa de 0-\u0026gt;1, en el paso [a] de 1-\u0026gt;2 (para que el objeto miniq permanezca activo durante el reemplazo), luego en [b] de 2-\u0026gt;1 y finalmente [c] 1-\u0026gt;0 con el eventual lanzamiento. El contador de referencia en general oscila entre [0,2] y no necesita ser at\u00f3mico ya que todo acceso al contador est\u00e1 protegido por el mutex rtnl. Con esto implementado, ya no ocurre ning\u00fan UAF y tcx_entry se libera en el momento correcto.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6\",\"versionEndExcluding\":\"6.6.41\",\"matchCriteriaId\":\"BBD7DB8F-6881-4008-B9ED-5588CD8061D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.9.10\",\"matchCriteriaId\":\"AB2E8DEC-CFD5-4C2B-981D-E7E45A36C352\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-07-18T11:41:41.025Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix too early release of tcx_entry\\n\\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\\nan issue that the tcx_entry can be released too early leading to a use\\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\\nshared tc block is later replaced by another ingress or clsact instance.\\n\\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\\n\\n  1. A network namespace is created\\n  2. An ingress qdisc is created. This allocates a tcx_entry, and\\n     \u0026tcx_entry-\u003eminiq is stored in the qdisc\u0027s miniqp-\u003ep_miniq. At the\\n     same time, a tcf block with index 1 is created.\\n  3. chain0 is attached to the tcf block. chain0 must be connected to\\n     the block linked to the ingress qdisc to later reach the function\\n     tcf_chain0_head_change_cb_del() which triggers the UAF.\\n  4. Create and graft a clsact qdisc. This causes the ingress qdisc\\n     created in step 1 to be removed, thus freeing the previously linked\\n     tcx_entry:\\n\\n     rtnetlink_rcv_msg()\\n       =\u003e tc_modify_qdisc()\\n         =\u003e qdisc_create()\\n           =\u003e clsact_init() [a]\\n         =\u003e qdisc_graft()\\n           =\u003e qdisc_destroy()\\n             =\u003e __qdisc_destroy()\\n               =\u003e ingress_destroy() [b]\\n                 =\u003e tcx_entry_free()\\n                   =\u003e kfree_rcu() // tcx_entry freed\\n\\n  5. Finally, the network namespace is closed. This registers the\\n     cleanup_net worker, and during the process of releasing the\\n     remaining clsact qdisc, it accesses the tcx_entry that was\\n     already freed in step 4, causing the UAF to occur:\\n\\n     cleanup_net()\\n       =\u003e ops_exit_list()\\n         =\u003e default_device_exit_batch()\\n           =\u003e unregister_netdevice_many()\\n             =\u003e unregister_netdevice_many_notify()\\n               =\u003e dev_shutdown()\\n                 =\u003e qdisc_put()\\n                   =\u003e clsact_destroy() [c]\\n                     =\u003e tcf_block_put_ext()\\n                       =\u003e tcf_chain0_head_change_cb_del()\\n                         =\u003e tcf_chain_head_change_item()\\n                           =\u003e clsact_chain_head_change()\\n                             =\u003e mini_qdisc_pair_swap() // UAF\\n\\nThere are also other variants, the gist is to add an ingress (or clsact)\\nqdisc with a specific shared block, then to replace that qdisc, waiting\\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\\nthe current active qdisc\u0027s miniq one way or another.\\n\\nThe correct fix is to turn the miniq_active boolean into a counter. What\\ncan be observed, at step 2 above, the counter transitions from 0-\u003e1, at\\nstep [a] from 1-\u003e2 (in order for the miniq object to remain active during\\nthe replacement), then in [b] from 2-\u003e1 and finally [c] 1-\u003e0 with the\\neventual release. The reference counter in general ranges from [0,2] and\\nit does not need to be atomic since all access to the counter is protected\\nby the rtnl mutex. With this in place, there is no longer a UAF happening\\nand the tcx_entry is freed at the correct time.\"}], \"affected\": [{\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"unaffected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"include/net/tcx.h\", \"net/sched/sch_ingress.c\"], \"versions\": [{\"version\": \"e420bed02507\", \"lessThan\": \"230bb13650b0\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"e420bed02507\", \"lessThan\": \"f61ecf1bd5b5\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"e420bed02507\", \"lessThan\": \"1cb6f0bae504\", \"status\": \"affected\", \"versionType\": \"git\"}]}, {\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"affected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"include/net/tcx.h\", \"net/sched/sch_ingress.c\"], \"versions\": [{\"version\": \"6.6\", \"status\": \"affected\"}, {\"version\": \"0\", \"lessThan\": \"6.6\", \"status\": \"unaffected\", \"versionType\": \"custom\"}, {\"version\": \"6.6.41\", \"lessThanOrEqual\": \"6.6.*\", \"status\": \"unaffected\", \"versionType\": \"custom\"}, {\"version\": \"6.9.10\", \"lessThanOrEqual\": \"6.9.*\", \"status\": \"unaffected\", \"versionType\": \"custom\"}, {\"version\": \"6.10\", \"lessThanOrEqual\": \"*\", \"status\": \"unaffected\", \"versionType\": \"original_commit_for_fix\"}]}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a\"}, {\"url\": \"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857\"}, {\"url\": \"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e\"}], \"title\": \"bpf: Fix too early release of tcx_entry\", \"x_generator\": {\"engine\": \"bippy-c9c4e1df01b2\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41010\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T16:25:09.492833Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2024-09-11T12:42:20.714Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-41010\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Linux\", \"dateReserved\": \"2024-07-12T12:17:45.610Z\", \"datePublished\": \"2024-07-17T06:10:12.051Z\", \"dateUpdated\": \"2024-08-02T04:39:55.990Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.