CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-56770: net/sched: netem: account for backlog updates from child qdisc

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: netem: account for backlog updates from child qdisc

In general, 'qlen' of any classful qdisc should keep track of the
number of packets that the qdisc itself and all of its children holds.
In case of netem, 'qlen' only accounts for the packets in its internal
tfifo. When netem is used with a child qdisc, the child qdisc can use
'qdisc_tree_reduce_backlog' to inform its parent, netem, about created
or dropped SKBs. This function updates 'qlen' and the backlog statistics
of netem, but netem does not account for changes made by a child qdisc.
'qlen' then indicates the wrong number of packets in the tfifo.
If a child qdisc creates new SKBs during enqueue and informs its parent
about this, netem's 'qlen' value is increased. When netem dequeues the
newly created SKBs from the child, the 'qlen' in netem is not updated.
If 'qlen' reaches the configured sch->limit, the enqueue function stops
working, even though the tfifo is not full.

Reproduce the bug:
Ensure that the sender machine has GSO enabled. Configure netem as root
qdisc and tbf as its child on the outgoing interface of the machine
as follows:
$ tc qdisc add dev root handle 1: netem delay 100ms limit 100
$ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms

Send bulk TCP traffic out via this interface, e.g., by running an iPerf3
client on the machine. Check the qdisc statistics:
$ tc -s qdisc show dev

Statistics after 10s...

Classification

CVE ID: CVE-2024-56770

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.07% (scored less or equal to compared to others)

EPSS Date: 2025-02-06 (when was this score calculated)

References

https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31
https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76
https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4
https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427
https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e
https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9
https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027

Timeline