ghsa-g4gg-7gqp-cf6m
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()
This command:
$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: block dev insert failed: -EBUSY.
fails because user space requests the same block index to be set for both ingress and egress.
[ side note, I don't think it even failed prior to commit 913b47d3424e ("net/sched: Introduce tc block netdev tracking infra"), because this is a command from an old set of notes of mine which used to work, but alas, I did not scientifically bisect this ]
The problem is not that it fails, but rather, that the second time around, it fails differently (and irrecoverably):
$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact Error: dsa_core: Flow block cb is busy.
[ another note: the extack is added by me for illustration purposes. the context of the problem is that clsact_init() obtains the same &q->ingress_block pointer as &q->egress_block, and since we call tcf_block_get_ext() on both of them, "dev" will be added to the block->ports xarray twice, thus failing the operation: once through the ingress block pointer, and once again through the egress block pointer. the problem itself is that when xa_insert() fails, we have emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the offload never sees a corresponding FLOW_BLOCK_UNBIND. ]
Even correcting the bad user input, we still cannot recover:
$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact Error: dsa_core: Flow block cb is busy.
Basically the only way to recover is to reboot the system, or unbind and rebind the net device driver.
To fix the bug, we need to fill the correct error teardown path which was missed during code movement, and call tcf_block_offload_unbind() when xa_insert() fails.
[ last note, fundamentally I blame the label naming convention in tcf_block_get_ext() for the bug. The labels should be named after what they do, not after the error path that jumps to them. This way, it is obviously wrong that two labels pointing to the same code mean something is wrong, and checking the code correctness at the goto site is also easier ]
{
"affected": [],
"aliases": [
"CVE-2024-53044"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T18:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()\n\nThis command:\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: block dev insert failed: -EBUSY.\n\nfails because user space requests the same block index to be set for\nboth ingress and egress.\n\n[ side note, I don\u0027t think it even failed prior to commit 913b47d3424e\n (\"net/sched: Introduce tc block netdev tracking infra\"), because this\n is a command from an old set of notes of mine which used to work, but\n alas, I did not scientifically bisect this ]\n\nThe problem is not that it fails, but rather, that the second time\naround, it fails differently (and irrecoverably):\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: dsa_core: Flow block cb is busy.\n\n[ another note: the extack is added by me for illustration purposes.\n the context of the problem is that clsact_init() obtains the same\n \u0026q-\u003eingress_block pointer as \u0026q-\u003eegress_block, and since we call\n tcf_block_get_ext() on both of them, \"dev\" will be added to the\n block-\u003eports xarray twice, thus failing the operation: once through\n the ingress block pointer, and once again through the egress block\n pointer. the problem itself is that when xa_insert() fails, we have\n emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the\n offload never sees a corresponding FLOW_BLOCK_UNBIND. ]\n\nEven correcting the bad user input, we still cannot recover:\n\n$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact\nError: dsa_core: Flow block cb is busy.\n\nBasically the only way to recover is to reboot the system, or unbind and\nrebind the net device driver.\n\nTo fix the bug, we need to fill the correct error teardown path which\nwas missed during code movement, and call tcf_block_offload_unbind()\nwhen xa_insert() fails.\n\n[ last note, fundamentally I blame the label naming convention in\n tcf_block_get_ext() for the bug. The labels should be named after what\n they do, not after the error path that jumps to them. This way, it is\n obviously wrong that two labels pointing to the same code mean\n something is wrong, and checking the code correctness at the goto site\n is also easier ]",
"id": "GHSA-g4gg-7gqp-cf6m",
"modified": "2024-11-27T18:34:01Z",
"published": "2024-11-19T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53044"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.