GHSA-MFC2-Q3P4-2QJV

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2025-11-04 00:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: accept TCA_STAB only for root qdisc

Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers.

Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1]

We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage.

[1] [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 88.798611] #PF: supervisor read access in kernel mode [ 88.799014] #PF: error_code(0x0000) - not-present page [ 88.799506] PGD 0 P4D 0 [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ...

Code starting with the faulting instruction

0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 [ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 [ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f [ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 [ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac [ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 [ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 [ 88.808165] Call Trace: [ 88.808459] [ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) [ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq [ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g ---truncated---

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-50039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: accept TCA_STAB only for root qdisc\n\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\n\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\n\nWe can\u0027t support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n\n[1]\n[   88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   88.798611] #PF: supervisor read access in kernel mode\n[   88.799014] #PF: error_code(0x0000) - not-present page\n[   88.799506] PGD 0 P4D 0\n[   88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[   88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[   88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a \u003c4c\u003e 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n   0:\t0f b7 50 12          \tmovzwl 0x12(%rax),%edx\n   4:\t48 8d 04 d5 00 00 00 \tlea    0x0(,%rdx,8),%rax\n   b:\t00\n   c:\t48 89 d6             \tmov    %rdx,%rsi\n   f:\t48 29 d0             \tsub    %rdx,%rax\n  12:\t48 8b 91 c0 01 00 00 \tmov    0x1c0(%rcx),%rdx\n  19:\t48 c1 e0 03          \tshl    $0x3,%rax\n  1d:\t48 01 c2             \tadd    %rax,%rdx\n  20:\t66 83 7a 1a 00       \tcmpw   $0x0,0x1a(%rdx)\n  25:\t7e c0                \tjle    0xffffffffffffffe7\n  27:\t48 8b 3a             \tmov    (%rdx),%rdi\n  2a:*\t4c 8b 07             \tmov    (%rdi),%r8\t\t\u003c-- trapping instruction\n  2d:\t4c 89 02             \tmov    %r8,(%rdx)\n  30:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n  34:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  3b:\t00\n  3c:\t48                   \trex.W\n  3d:\tc7                   \t.byte 0xc7\n  3e:\t07                   \t(bad)\n\t...\n\nCode starting with the faulting instruction\n===========================================\n   0:\t4c 8b 07             \tmov    (%rdi),%r8\n   3:\t4c 89 02             \tmov    %r8,(%rdx)\n   6:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n   a:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  11:\t00\n  12:\t48                   \trex.W\n  13:\tc7                   \t.byte 0xc7\n  14:\t07                   \t(bad)\n\t...\n[   88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[   88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[   88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[   88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[   88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[   88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[   88.806734] FS:  00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[   88.807225] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[   88.808165] Call Trace:\n[   88.808459]  \u003cTASK\u003e\n[   88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[   88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[   88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[   88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[   88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[   88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[   88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---",
  "id": "GHSA-mfc2-q3p4-2qjv",
  "modified": "2025-11-04T00:31:45Z",
  "published": "2024-10-21T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50039"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.