{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-46828", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: fix bulk flow accounting logic for host fairness\n\nIn sch_cake, we keep track of the count of active bulk flows per host,\nwhen running in dst/src host fairness mode, which is used as the\nround-robin weight when iterating through flows. The count of active\nbulk flows is updated whenever a flow changes state.\n\nThis has a peculiar interaction with the hash collision handling: when a\nhash collision occurs (after the set-associative hashing), the state of\nthe hash bucket is simply updated to match the new packet that collided,\nand if host fairness is enabled, that also means assigning new per-host\nstate to the flow. For this reason, the bulk flow counters of the\nhost(s) assigned to the flow are decremented, before new state is\nassigned (and the counters, which may not belong to the same host\nanymore, are incremented again).\n\nBack when this code was introduced, the host fairness mode was always\nenabled, so the decrement was unconditional. When the configuration\nflags were introduced the *increment* was made conditional, but\nthe *decrement* was not. Which of course can lead to a spurious\ndecrement (and associated wrap-around to U16_MAX).\n\nAFAICT, when host fairness is disabled, the decrement and wrap-around\nhappens as soon as a hash collision occurs (which is not that common in\nitself, due to the set-associative hashing). However, in most cases this\nis harmless, as the value is only used when host fairness mode is\nenabled. So in order to trigger an array overflow, sch_cake has to first\nbe configured with host fairness disabled, and while running in this\nmode, a hash collision has to occur to cause the overflow. Then, the\nqdisc has to be reconfigured to enable host fairness, which leads to the\narray out-of-bounds because the wrapped-around value is retained and\nused as an array index. It seems that syzbot managed to trigger this,\nwhich is quite impressive in its own right.\n\nThis patch fixes the issue by introducing the same conditional check on\ndecrement as is used on increment.\n\nThe original bug predates the upstreaming of cake, but the commit listed\nin the Fixes tag touched that code, meaning that this patch won't apply\nbefore that." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "712639929912", "version_value": "4a4eeefa514d" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "5.1", "status": "affected" }, { "version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.284", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.226", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.167", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.110", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.51", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.10.10", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/4a4eeefa514db570be025ab46d779af180e2c9bb", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/4a4eeefa514db570be025ab46d779af180e2c9bb" }, { "url": "https://git.kernel.org/stable/c/7725152b54d295b7da5e34c2f419539b30d017bd", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/7725152b54d295b7da5e34c2f419539b30d017bd" }, { "url": "https://git.kernel.org/stable/c/cde71a5677971f4f1b69b25e854891dbe78066a4", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/cde71a5677971f4f1b69b25e854891dbe78066a4" }, { "url": "https://git.kernel.org/stable/c/549e407569e08459d16122341d332cb508024094", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/549e407569e08459d16122341d332cb508024094" }, { "url": "https://git.kernel.org/stable/c/d4a9039a7b3d8005b90c7b1a55a306444f0e5447", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/d4a9039a7b3d8005b90c7b1a55a306444f0e5447" }, { "url": "https://git.kernel.org/stable/c/d7c01c0714c04431b5e18cf17a9ea68a553d1c3c", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/d7c01c0714c04431b5e18cf17a9ea68a553d1c3c" }, { "url": "https://git.kernel.org/stable/c/546ea84d07e3e324644025e2aae2d12ea4c5896e", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/546ea84d07e3e324644025e2aae2d12ea4c5896e" } ] }, "generator": { "engine": "bippy-9e1c9544281a" } }