CVE-2024-53057

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT<br /> <br /> In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed<br /> to be either root or ingress. This assumption is bogus since it&amp;#39;s valid<br /> to create egress qdiscs with major handle ffff:<br /> Budimir Markovic found that for qdiscs like DRR that maintain an active<br /> class list, it will cause a UAF with a dangling class pointer.<br /> <br /> In 066a3b5b2346, the concern was to avoid iterating over the ingress<br /> qdisc since its parent is itself. The proper fix is to stop when parent<br /> TC_H_ROOT is reached because the only way to retrieve ingress is when a<br /> hierarchy which does not contain a ffff: major handle call into<br /> qdisc_lookup with TC_H_MAJ(TC_H_ROOT).<br /> <br /> In the scenario where major ffff: is an egress qdisc in any of the tree<br /> levels, the updates will also propagate to TC_H_ROOT, which then the<br /> iteration must stop.<br /> <br /> <br /> net/sched/sch_api.c | 2 +-<br /> 1 file changed, 1 insertion(+), 1 deletion(-)