cve/published/2024/CVE-2024-53044.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53044: net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()

 This command:

 $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
 Error: block dev insert failed: -EBUSY.

 fails because user space requests the same block index to be set for
 both ingress and egress.

 [ side note, I don't think it even failed prior to commit 913b47d3424e
   ("net/sched: Introduce tc block netdev tracking infra"), because this
   is a command from an old set of notes of mine which used to work, but
   alas, I did not scientifically bisect this ]

 The problem is not that it fails, but rather, that the second time
 around, it fails differently (and irrecoverably):

 $ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
 Error: dsa_core: Flow block cb is busy.

 [ another note: the extack is added by me for illustration purposes.
   the context of the problem is that clsact_init() obtains the same
   &q->ingress_block pointer as &q->egress_block, and since we call
   tcf_block_get_ext() on both of them, "dev" will be added to the
   block->ports xarray twice, thus failing the operation: once through
   the ingress block pointer, and once again through the egress block
   pointer. the problem itself is that when xa_insert() fails, we have
   emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the
   offload never sees a corresponding FLOW_BLOCK_UNBIND. ]

 Even correcting the bad user input, we still cannot recover:

 $ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact
 Error: dsa_core: Flow block cb is busy.

 Basically the only way to recover is to reboot the system, or unbind and
 rebind the net device driver.

 To fix the bug, we need to fill the correct error teardown path which
 was missed during code movement, and call tcf_block_offload_unbind()
 when xa_insert() fails.

 [ last note, fundamentally I blame the label naming convention in
   tcf_block_get_ext() for the bug. The labels should be named after what
   they do, not after the error path that jumps to them. This way, it is
   obviously wrong that two labels pointing to the same code mean
   something is wrong, and checking the code correctness at the goto site
   is also easier ]

 The Linux kernel CVE team has assigned CVE-2024-53044 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 94e2557d086ad831027c54bc9c2130d337c72814 and fixed in 6.11.7 with commit 8966eb69a143b1c032365fe84f2815f3c46f2590
 	Issue introduced in 6.8 with commit 94e2557d086ad831027c54bc9c2130d337c72814 and fixed in 6.12 with commit a13e690191eafc154b3f60afe9ce35aa9b9128b4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53044
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/cls_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590
 	https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53044: net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()

	This command:

	$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
	Error: block dev insert failed: -EBUSY.

	fails because user space requests the same block index to be set for
	both ingress and egress.

	[ side note, I don't think it even failed prior to commit 913b47d3424e
	("net/sched: Introduce tc block netdev tracking infra"), because this
	is a command from an old set of notes of mine which used to work, but
	alas, I did not scientifically bisect this ]

	The problem is not that it fails, but rather, that the second time
	around, it fails differently (and irrecoverably):

	$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact
	Error: dsa_core: Flow block cb is busy.

	[ another note: the extack is added by me for illustration purposes.
	the context of the problem is that clsact_init() obtains the same
	&q->ingress_block pointer as &q->egress_block, and since we call
	tcf_block_get_ext() on both of them, "dev" will be added to the
	block->ports xarray twice, thus failing the operation: once through
	the ingress block pointer, and once again through the egress block
	pointer. the problem itself is that when xa_insert() fails, we have
	emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the
	offload never sees a corresponding FLOW_BLOCK_UNBIND. ]

	Even correcting the bad user input, we still cannot recover:

	$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact
	Error: dsa_core: Flow block cb is busy.

	Basically the only way to recover is to reboot the system, or unbind and
	rebind the net device driver.

	To fix the bug, we need to fill the correct error teardown path which
	was missed during code movement, and call tcf_block_offload_unbind()
	when xa_insert() fails.

	[ last note, fundamentally I blame the label naming convention in
	tcf_block_get_ext() for the bug. The labels should be named after what
	they do, not after the error path that jumps to them. This way, it is
	obviously wrong that two labels pointing to the same code mean
	something is wrong, and checking the code correctness at the goto site
	is also easier ]

	The Linux kernel CVE team has assigned CVE-2024-53044 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 94e2557d086ad831027c54bc9c2130d337c72814 and fixed in 6.11.7 with commit 8966eb69a143b1c032365fe84f2815f3c46f2590
	Issue introduced in 6.8 with commit 94e2557d086ad831027c54bc9c2130d337c72814 and fixed in 6.12 with commit a13e690191eafc154b3f60afe9ce35aa9b9128b4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53044
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/cls_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8966eb69a143b1c032365fe84f2815f3c46f2590
	https://git.kernel.org/stable/c/a13e690191eafc154b3f60afe9ce35aa9b9128b4