CVE-2024-45016

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netem: fix return value if duplicate enqueue fails<br /> <br /> There is a bug in netem_enqueue() introduced by<br /> commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")<br /> that can lead to a use-after-free.<br /> <br /> This commit made netem_enqueue() always return NET_XMIT_SUCCESS<br /> when a packet is duplicated, which can cause the parent qdisc&amp;#39;s q.qlen<br /> to be mistakenly incremented. When this happens qlen_notify() may be<br /> skipped on the parent during destruction, leaving a dangling pointer<br /> for some classful qdiscs like DRR.<br /> <br /> There are two ways for the bug happen:<br /> <br /> - If the duplicated packet is dropped by rootq-&gt;enqueue() and then<br /> the original packet is also dropped.<br /> - If rootq-&gt;enqueue() sends the duplicated packet to a different qdisc<br /> and the original packet is dropped.<br /> <br /> In both cases NET_XMIT_SUCCESS is returned even though no packets<br /> are enqueued at the netem qdisc.<br /> <br /> The fix is to defer the enqueue of the duplicate packet until after<br /> the original packet has been guaranteed to return NET_XMIT_SUCCESS.