Use After Free Affecting kernel-rt-core package, versions *


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use After Free vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL8-KERNELRTCORE-8405641
  • published26 Nov 2024
  • disclosed19 Nov 2024

Introduced: 19 Nov 2024

NewCVE-2024-53057  (opens in a new tab)
CWE-416  (opens in a new tab)
First added by Snyk

How to fix?

There is no fixed version for RHEL:8 kernel-rt-core.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-rt-core package and not the kernel-rt-core package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer.

In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT).

In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop.

net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

CVSS Scores

version 3.1