CVE-2024-50039

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: accept TCA_STAB only for root qdisc<br /> <br /> Most qdiscs maintain their backlog using qdisc_pkt_len(skb)<br /> on the assumption it is invariant between the enqueue()<br /> and dequeue() handlers.<br /> <br /> Unfortunately syzbot can crash a host rather easily using<br /> a TBF + SFQ combination, with an STAB on SFQ [1]<br /> <br /> We can&amp;#39;t support TCA_STAB on arbitrary level, this would<br /> require to maintain per-qdisc storage.<br /> <br /> [1]<br /> [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 88.798611] #PF: supervisor read access in kernel mode<br /> [ 88.799014] #PF: error_code(0x0000) - not-present page<br /> [ 88.799506] PGD 0 P4D 0<br /> [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117<br /> [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq<br /> [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00<br /> All code<br /> ========<br /> 0: 0f b7 50 12 movzwl 0x12(%rax),%edx<br /> 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax<br /> b: 00<br /> c: 48 89 d6 mov %rdx,%rsi<br /> f: 48 29 d0 sub %rdx,%rax<br /> 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx<br /> 19: 48 c1 e0 03 shl $0x3,%rax<br /> 1d: 48 01 c2 add %rax,%rdx<br /> 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)<br /> 25: 7e c0 jle 0xffffffffffffffe7<br /> 27: 48 8b 3a mov (%rdx),%rdi<br /> 2a:* 4c 8b 07 mov (%rdi),%r8