{ "id": "CVE-2024-41010", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-07-17T07:15:02.183", "lastModified": "2024-07-19T15:24:59.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix too early release of tcx_entry\n\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\nan issue that the tcx_entry can be released too early leading to a use\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\nshared tc block is later replaced by another ingress or clsact instance.\n\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\n\n 1. A network namespace is created\n 2. An ingress qdisc is created. This allocates a tcx_entry, and\n &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the\n same time, a tcf block with index 1 is created.\n 3. chain0 is attached to the tcf block. chain0 must be connected to\n the block linked to the ingress qdisc to later reach the function\n tcf_chain0_head_change_cb_del() which triggers the UAF.\n 4. Create and graft a clsact qdisc. This causes the ingress qdisc\n created in step 1 to be removed, thus freeing the previously linked\n tcx_entry:\n\n rtnetlink_rcv_msg()\n => tc_modify_qdisc()\n => qdisc_create()\n => clsact_init() [a]\n => qdisc_graft()\n => qdisc_destroy()\n => __qdisc_destroy()\n => ingress_destroy() [b]\n => tcx_entry_free()\n => kfree_rcu() // tcx_entry freed\n\n 5. Finally, the network namespace is closed. This registers the\n cleanup_net worker, and during the process of releasing the\n remaining clsact qdisc, it accesses the tcx_entry that was\n already freed in step 4, causing the UAF to occur:\n\n cleanup_net()\n => ops_exit_list()\n => default_device_exit_batch()\n => unregister_netdevice_many()\n => unregister_netdevice_many_notify()\n => dev_shutdown()\n => qdisc_put()\n => clsact_destroy() [c]\n => tcf_block_put_ext()\n => tcf_chain0_head_change_cb_del()\n => tcf_chain_head_change_item()\n => clsact_chain_head_change()\n => mini_qdisc_pair_swap() // UAF\n\nThere are also other variants, the gist is to add an ingress (or clsact)\nqdisc with a specific shared block, then to replace that qdisc, waiting\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\nthe current active qdisc's miniq one way or another.\n\nThe correct fix is to turn the miniq_active boolean into a counter. What\ncan be observed, at step 2 above, the counter transitions from 0->1, at\nstep [a] from 1->2 (in order for the miniq object to remain active during\nthe replacement), then in [b] from 2->1 and finally [c] 1->0 with the\neventual release. The reference counter in general ranges from [0,2] and\nit does not need to be atomic since all access to the counter is protected\nby the rtnl mutex. With this in place, there is no longer a UAF happening\nand the tcx_entry is freed at the correct time." }, { "lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: Se solucion\u00f3 el lanzamiento demasiado temprano de tcx_entry Pedro Pinto y m\u00e1s tarde, de forma independiente, tambi\u00e9n Hyunwoo Kim y Wongi Lee informaron un problema por el cual tcx_entry se puede lanzar demasiado pronto, lo que lleva a un uso posterior a la liberaci\u00f3n (UAF ) cuando una qdisc ingress o clsact antigua activa con un bloque tc compartido se reemplaza posteriormente por otra instancia de ingress o clsact. Esencialmente, la secuencia para activar la UAF (un ejemplo) puede ser la siguiente: 1. Se crea un espacio de nombres de red. 2. Se crea una qdisc de entrada. Esto asigna un tcx_entry, y &tcx_entry->miniq se almacena en el miniqp->p_miniq de la qdisc. Al mismo tiempo, se crea un bloque tcf con \u00edndice 1. 3. chain0 est\u00e1 adjunta al bloque tcf. chain0 debe estar conectado al bloque vinculado a la qdisc de ingreso para luego llegar a la funci\u00f3n tcf_chain0_head_change_cb_del() que activa la UAF. 4. Cree e injerte una qdisc clsact. Esto hace que se elimine la qdisc de entrada creada en el paso 1, liberando as\u00ed la tcx_entry previamente vinculada: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy( ) => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry liberado 5. Finalmente, se cierra el espacio de nombres de la red. Esto registra el trabajador cleanup_net y, durante el proceso de liberaci\u00f3n de la qdisc clsact restante, accede a tcx_entry que ya se liber\u00f3 en el paso 4, lo que provoca que se produzca la UAF: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair _intercambiar( ) // UAF Tambi\u00e9n hay otras variantes, lo esencial es agregar una qdisc de ingreso (o clsact) con un bloque compartido espec\u00edfico, luego reemplazar esa qdisc, esperar a que se ejecute tcx_entry kfree_rcu() y posteriormente acceder al activo actual miniq de qdisc de una forma u otra. La soluci\u00f3n correcta es convertir el booleano miniq_active en un contador. Lo que se puede observar, en el paso 2 anterior, el contador pasa de 0->1, en el paso [a] de 1->2 (para que el objeto miniq permanezca activo durante el reemplazo), luego en [b] de 2->1 y finalmente [c] 1->0 con el eventual lanzamiento. El contador de referencia en general oscila entre [0,2] y no necesita ser at\u00f3mico ya que todo acceso al contador est\u00e1 protegido por el mutex rtnl. Con esto implementado, ya no ocurre ning\u00fan UAF y tcx_entry se libera en el momento correcto." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-416" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.41", "matchCriteriaId": "BBD7DB8F-6881-4008-B9ED-5588CD8061D9" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.9.10", "matchCriteriaId": "AB2E8DEC-CFD5-4C2B-981D-E7E45A36C352" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Mailing List", "Patch" ] }, { "url": "https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Mailing List", "Patch" ] }, { "url": "https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Mailing List", "Patch" ] } ] }