CVE-2024-46828

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched: sch_cake: fix bulk flow accounting logic for host fairness<br /> <br /> In sch_cake, we keep track of the count of active bulk flows per host,<br /> when running in dst/src host fairness mode, which is used as the<br /> round-robin weight when iterating through flows. The count of active<br /> bulk flows is updated whenever a flow changes state.<br /> <br /> This has a peculiar interaction with the hash collision handling: when a<br /> hash collision occurs (after the set-associative hashing), the state of<br /> the hash bucket is simply updated to match the new packet that collided,<br /> and if host fairness is enabled, that also means assigning new per-host<br /> state to the flow. For this reason, the bulk flow counters of the<br /> host(s) assigned to the flow are decremented, before new state is<br /> assigned (and the counters, which may not belong to the same host<br /> anymore, are incremented again).<br /> <br /> Back when this code was introduced, the host fairness mode was always<br /> enabled, so the decrement was unconditional. When the configuration<br /> flags were introduced the *increment* was made conditional, but<br /> the *decrement* was not. Which of course can lead to a spurious<br /> decrement (and associated wrap-around to U16_MAX).<br /> <br /> AFAICT, when host fairness is disabled, the decrement and wrap-around<br /> happens as soon as a hash collision occurs (which is not that common in<br /> itself, due to the set-associative hashing). However, in most cases this<br /> is harmless, as the value is only used when host fairness mode is<br /> enabled. So in order to trigger an array overflow, sch_cake has to first<br /> be configured with host fairness disabled, and while running in this<br /> mode, a hash collision has to occur to cause the overflow. Then, the<br /> qdisc has to be reconfigured to enable host fairness, which leads to the<br /> array out-of-bounds because the wrapped-around value is retained and<br /> used as an array index. It seems that syzbot managed to trigger this,<br /> which is quite impressive in its own right.<br /> <br /> This patch fixes the issue by introducing the same conditional check on<br /> decrement as is used on increment.<br /> <br /> The original bug predates the upstreaming of cake, but the commit listed<br /> in the Fixes tag touched that code, meaning that this patch won&amp;#39;t apply<br /> before that.