fkie_cve-2024-53044
Vulnerability from fkie_nvd
Published
2024-11-19 18:15
Modified
2024-11-27 16:40
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() This command: $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: block dev insert failed: -EBUSY. fails because user space requests the same block index to be set for both ingress and egress. [ side note, I don't think it even failed prior to commit 913b47d3424e ("net/sched: Introduce tc block netdev tracking infra"), because this is a command from an old set of notes of mine which used to work, but alas, I did not scientifically bisect this ] The problem is not that it fails, but rather, that the second time around, it fails differently (and irrecoverably): $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: dsa_core: Flow block cb is busy. [ another note: the extack is added by me for illustration purposes. the context of the problem is that clsact_init() obtains the same &q->ingress_block pointer as &q->egress_block, and since we call tcf_block_get_ext() on both of them, "dev" will be added to the block->ports xarray twice, thus failing the operation: once through the ingress block pointer, and once again through the egress block pointer. the problem itself is that when xa_insert() fails, we have emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the offload never sees a corresponding FLOW_BLOCK_UNBIND. ] Even correcting the bad user input, we still cannot recover: $ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact Error: dsa_core: Flow block cb is busy. Basically the only way to recover is to reboot the system, or unbind and rebind the net device driver. To fix the bug, we need to fill the correct error teardown path which was missed during code movement, and call tcf_block_offload_unbind() when xa_insert() fails. [ last note, fundamentally I blame the label naming convention in tcf_block_get_ext() for the bug. The labels should be named after what they do, not after the error path that jumps to them. This way, it is obviously wrong that two labels pointing to the same code mean something is wrong, and checking the code correctness at the goto site is also easier ]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40C0D9F3-9632-46FE-AA28-8CD73B52DEE7",
              "versionEndExcluding": "6.11.7",
              "versionStartIncluding": "6.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()\n\nThis command:\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: block dev insert failed: -EBUSY.\n\nfails because user space requests the same block index to be set for\nboth ingress and egress.\n\n[ side note, I don\u0027t think it even failed prior to commit 913b47d3424e\n  (\"net/sched: Introduce tc block netdev tracking infra\"), because this\n  is a command from an old set of notes of mine which used to work, but\n  alas, I did not scientifically bisect this ]\n\nThe problem is not that it fails, but rather, that the second time\naround, it fails differently (and irrecoverably):\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: dsa_core: Flow block cb is busy.\n\n[ another note: the extack is added by me for illustration purposes.\n  the context of the problem is that clsact_init() obtains the same\n  \u0026q-\u003eingress_block pointer as \u0026q-\u003eegress_block, and since we call\n  tcf_block_get_ext() on both of them, \"dev\" will be added to the\n  block-\u003eports xarray twice, thus failing the operation: once through\n  the ingress block pointer, and once again through the egress block\n  pointer. the problem itself is that when xa_insert() fails, we have\n  emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the\n  offload never sees a corresponding FLOW_BLOCK_UNBIND. ]\n\nEven correcting the bad user input, we still cannot recover:\n\n$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact\nError: dsa_core: Flow block cb is busy.\n\nBasically the only way to recover is to reboot the system, or unbind and\nrebind the net device driver.\n\nTo fix the bug, we need to fill the correct error teardown path which\nwas missed during code movement, and call tcf_block_offload_unbind()\nwhen xa_insert() fails.\n\n[ last note, fundamentally I blame the label naming convention in\n  tcf_block_get_ext() for the bug. The labels should be named after what\n  they do, not after the error path that jumps to them. This way, it is\n  obviously wrong that two labels pointing to the same code mean\n  something is wrong, and checking the code correctness at the goto site\n  is also easier ]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: sch_api: corregir la ruta del error xa_insert() en tcf_block_get_ext() Este comando: $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: la inserci\u00f3n dev del bloque fall\u00f3: -EBUSY. falla porque el espacio de usuario solicita que se configure el mismo \u00edndice de bloque tanto para el ingreso como para el egreso. [nota al margen, no creo que haya fallado antes del commit 913b47d3424e (\"net/sched: Introduce tc block netdev tracking infra\"), porque este es un comando de un antiguo conjunto de notas m\u00edas que sol\u00edan funcionar, pero por desgracia, no lo divid\u00ed cient\u00edficamente] El problema no es que falle, sino que la segunda vez, falla de forma diferente (e irrecuperable): $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: dsa_core: Flow block cb is busy. [otra nota: el extack lo agregu\u00e9 yo con fines ilustrativos. El contexto del problema es que clsact_init() obtiene el mismo puntero \u0026amp;q-\u0026gt;ingress_block que \u0026amp;q-\u0026gt;egress_block, y dado que llamamos a tcf_block_get_ext() en ambos, \"dev\" se agregar\u00e1 al xarray block-\u0026gt;ports dos veces, lo que har\u00e1 que la operaci\u00f3n falle: una vez a trav\u00e9s del puntero del bloque de ingreso y otra vez a trav\u00e9s del puntero del bloque de egreso. El problema en s\u00ed es que cuando xa_insert() falla, hemos emitido un comando FLOW_BLOCK_BIND a trav\u00e9s de ndo_setup_tc(), pero la descarga nunca ve un FLOW_BLOCK_UNBIND correspondiente. Incluso corrigiendo la entrada incorrecta del usuario, a\u00fan no podemos recuperarnos: $ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact Error: dsa_core: el bloque de flujo cb est\u00e1 ocupado. B\u00e1sicamente, la \u00fanica forma de recuperarse es reiniciar el sistema o desvincular y volver a vincular el controlador del dispositivo de red. Para corregir el error, debemos completar la ruta de desmontaje de error correcta que se omiti\u00f3 durante el movimiento del c\u00f3digo y llamar a tcf_block_offload_unbind() cuando falla xa_insert(). [\u00daltima nota: fundamentalmente culpo a la convenci\u00f3n de nombres de etiquetas en tcf_block_get_ext() por el error. Las etiquetas deben tener el nombre de lo que hacen, no de la ruta de error que las lleva a ellas. De esta manera, es obviamente incorrecto que dos etiquetas que apuntan al mismo c\u00f3digo signifiquen que algo est\u00e1 mal, y verificar la correcci\u00f3n del c\u00f3digo en el sitio de destino tambi\u00e9n es m\u00e1s f\u00e1cil]"
    }
  ],
  "id": "CVE-2024-53044",
  "lastModified": "2024-11-27T16:40:06.963",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-19T18:15:24.877",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.