CVE-2024-56770

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: netem: account for backlog updates from child qdisc<br /> <br /> In general, &amp;#39;qlen&amp;#39; of any classful qdisc should keep track of the<br /> number of packets that the qdisc itself and all of its children holds.<br /> In case of netem, &amp;#39;qlen&amp;#39; only accounts for the packets in its internal<br /> tfifo. When netem is used with a child qdisc, the child qdisc can use<br /> &amp;#39;qdisc_tree_reduce_backlog&amp;#39; to inform its parent, netem, about created<br /> or dropped SKBs. This function updates &amp;#39;qlen&amp;#39; and the backlog statistics<br /> of netem, but netem does not account for changes made by a child qdisc.<br /> &amp;#39;qlen&amp;#39; then indicates the wrong number of packets in the tfifo.<br /> If a child qdisc creates new SKBs during enqueue and informs its parent<br /> about this, netem&amp;#39;s &amp;#39;qlen&amp;#39; value is increased. When netem dequeues the<br /> newly created SKBs from the child, the &amp;#39;qlen&amp;#39; in netem is not updated.<br /> If &amp;#39;qlen&amp;#39; reaches the configured sch-&gt;limit, the enqueue function stops<br /> working, even though the tfifo is not full.<br /> <br /> Reproduce the bug:<br /> Ensure that the sender machine has GSO enabled. Configure netem as root<br /> qdisc and tbf as its child on the outgoing interface of the machine<br /> as follows:<br /> $ tc qdisc add dev root handle 1: netem delay 100ms limit 100<br /> $ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms<br /> <br /> Send bulk TCP traffic out via this interface, e.g., by running an iPerf3<br /> client on the machine. Check the qdisc statistics:<br /> $ tc -s qdisc show dev <br /> <br /> Statistics after 10s of iPerf3 TCP test before the fix (note that<br /> netem&amp;#39;s backlog &gt; limit, netem stopped accepting packets):<br /> qdisc netem 1: root refcnt 2 limit 1000 delay 100ms<br /> Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)<br /> backlog 4294528236b 1155p requeues 0<br /> qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms<br /> Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)<br /> backlog 0b 0p requeues 0<br /> <br /> Statistics after the fix:<br /> qdisc netem 1: root refcnt 2 limit 1000 delay 100ms<br /> Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)<br /> backlog 0b 0p requeues 0<br /> qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms<br /> Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)<br /> backlog 0b 0p requeues 0<br /> <br /> tbf segments the GSO SKBs (tbf_segment) and updates the netem&amp;#39;s &amp;#39;qlen&amp;#39;.<br /> The interface fully stops transferring packets and "locks". In this case,<br /> the child qdisc and tfifo are empty, but &amp;#39;qlen&amp;#39; indicates the tfifo is at<br /> its limit and no more packets are accepted.<br /> <br /> This patch adds a counter for the entries in the tfifo. Netem&amp;#39;s &amp;#39;qlen&amp;#39; is<br /> only decreased when a packet is returned by its dequeue function, and not<br /> during enqueuing into the child qdisc. External updates to &amp;#39;qlen&amp;#39; are thus<br /> accounted for and only the behavior of the backlog statistics changes. As<br /> in other qdiscs, &amp;#39;qlen&amp;#39; then keeps track of how many packets are held in<br /> netem and all of its children. As before, sch-&gt;limit remains as the<br /> maximum number of packets in the tfifo. The same applies to netem&amp;#39;s<br /> backlog statistics.