cve/published/2024/CVE-2024-53044.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()\n\nThis command:\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: block dev insert failed: -EBUSY.\n\nfails because user space requests the same block index to be set for\nboth ingress and egress.\n\n[ side note, I don't think it even failed prior to commit 913b47d3424e\n  (\"net/sched: Introduce tc block netdev tracking infra\"), because this\n  is a command from an old set of notes of mine which used to work, but\n  alas, I did not scientifically bisect this ]\n\nThe problem is not that it fails, but rather, that the second time\naround, it fails differently (and irrecoverably):\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: dsa_core: Flow block cb is busy.\n\n[ another note: the extack is added by me for illustration purposes.\n  the context of the problem is that clsact_init() obtains the same\n  &q->ingress_block pointer as &q->egress_block, and since we call\n  tcf_block_get_ext() on both of them, \"dev\" will be added to the\n  block->ports xarray twice, thus failing the operation: once through\n  the ingress block pointer, and once again through the egress block\n  pointer. the problem itself is that when xa_insert() fails, we have\n  emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the\n  offload never sees a corresponding FLOW_BLOCK_UNBIND. ]\n\nEven correcting the bad user input, we still cannot recover:\n\n$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact\nError: dsa_core: Flow block cb is busy.\n\nBasically the only way to recover is to reboot the system, or unbind and\nrebind the net device driver.\n\nTo fix the bug, we need to fill the correct error teardown path which\nwas missed during code movement, and call tcf_block_offload_unbind()\nwhen xa_insert() fails.\n\n[ last note, fundamentally I blame the label naming convention in\n  tcf_block_get_ext() for the bug. The labels should be named after what\n  they do, not after the error path that jumps to them. This way, it is\n  obviously wrong that two labels pointing to the same code mean\n  something is wrong, and checking the code correctness at the goto site\n  is also easier ]"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "net/sched/cls_api.c"
                ],
                "versions": [
                   {
                      "version": "94e2557d086ad831027c54bc9c2130d337c72814",
                      "lessThan": "8966eb69a143b1c032365fe84f2815f3c46f2590",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "94e2557d086ad831027c54bc9c2130d337c72814",
                      "lessThan": "a13e690191eafc154b3f60afe9ce35aa9b9128b4",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "net/sched/cls_api.c"
                ],
                "versions": [
                   {
                      "version": "6.8",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "6.8",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.11.7",
                      "lessThanOrEqual": "6.11.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.12",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.8",
                            "versionEndExcluding": "6.11.7"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.8",
                            "versionEndExcluding": "6.12"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590"
             },
             {
                "url": "https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4"
             }
          ],
          "title": "net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-53044",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()\n\nThis command:\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: block dev insert failed: -EBUSY.\n\nfails because user space requests the same block index to be set for\nboth ingress and egress.\n\n[ side note, I don't think it even failed prior to commit 913b47d3424e\n (\"net/sched: Introduce tc block netdev tracking infra\"), because this\n is a command from an old set of notes of mine which used to work, but\n alas, I did not scientifically bisect this ]\n\nThe problem is not that it fails, but rather, that the second time\naround, it fails differently (and irrecoverably):\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: dsa_core: Flow block cb is busy.\n\n[ another note: the extack is added by me for illustration purposes.\n the context of the problem is that clsact_init() obtains the same\n &q->ingress_block pointer as &q->egress_block, and since we call\n tcf_block_get_ext() on both of them, \"dev\" will be added to the\n block->ports xarray twice, thus failing the operation: once through\n the ingress block pointer, and once again through the egress block\n pointer. the problem itself is that when xa_insert() fails, we have\n emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the\n offload never sees a corresponding FLOW_BLOCK_UNBIND. ]\n\nEven correcting the bad user input, we still cannot recover:\n\n$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact\nError: dsa_core: Flow block cb is busy.\n\nBasically the only way to recover is to reboot the system, or unbind and\nrebind the net device driver.\n\nTo fix the bug, we need to fill the correct error teardown path which\nwas missed during code movement, and call tcf_block_offload_unbind()\nwhen xa_insert() fails.\n\n[ last note, fundamentally I blame the label naming convention in\n tcf_block_get_ext() for the bug. The labels should be named after what\n they do, not after the error path that jumps to them. This way, it is\n obviously wrong that two labels pointing to the same code mean\n something is wrong, and checking the code correctness at the goto site\n is also easier ]"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"net/sched/cls_api.c"
	],
	"versions": [
	{
	"version": "94e2557d086ad831027c54bc9c2130d337c72814",
	"lessThan": "8966eb69a143b1c032365fe84f2815f3c46f2590",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "94e2557d086ad831027c54bc9c2130d337c72814",
	"lessThan": "a13e690191eafc154b3f60afe9ce35aa9b9128b4",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"net/sched/cls_api.c"
	],
	"versions": [
	{
	"version": "6.8",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "6.8",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.11.7",
	"lessThanOrEqual": "6.11.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.12",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.8",
	"versionEndExcluding": "6.11.7"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.8",
	"versionEndExcluding": "6.12"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590"
	},
	{
	"url": "https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4"
	}
	],
	"title": "net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-53044",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}