CVE-2024-45016
Linux kernel Netem Use-After-Free Vulnerability
Description
In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.
INFO
Published Date :
Sept. 11, 2024, 4:15 p.m.
Last Modified :
Sept. 13, 2024, 4:36 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-45016.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-45016 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-45016 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Sep. 13, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Changed Reference Type https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469 No Types Assigned https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469 Patch Changed Reference Type https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8 No Types Assigned https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8 Patch Changed Reference Type https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014 No Types Assigned https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014 Patch Changed Reference Type https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4 No Types Assigned https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4 Patch Changed Reference Type https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382 No Types Assigned https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382 Patch Changed Reference Type https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d No Types Assigned https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d Patch Changed Reference Type https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883 No Types Assigned https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883 Patch Added CWE NIST CWE-416 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.4.283 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.225 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.166 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.107 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.48 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.7 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Sep. 11, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS. Added Reference kernel.org https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-45016 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-45016
weaknesses.