CVE: CVE-2024-41010

Descrizione: In the Linux kernel, a vulnerability has been resolved: The following describes a sequence of events that triggers a UAF (one example) when a tcx_entry is released too early, leading to a use after free (UAF) condition. Here’s the breakdown: 1. Create a network namespace. 2. Create an ingress qdisc. This allocates a tcx_entry and stores its miniq in the qdisc’s miniqp. Simultaneously, create a tcf block with index 1. 3. Attach chain0 to the tcf block. Chain0 must be connected to the block linked to the ingress qdisc to reach the `tcf_chain0_head_change_cb_del()` function, which triggers the UAF. 4. Create and graft a clsact qdisc. This removes the previously linked tcx_entry, freeing the linked tcx_entry. The process involves: * `rtnetlink_rcv_msg()`: `tc_modify_qdisc()` * `qdisc_create()`: `clsact_init()` [a] * `qdisc_graft()`: `qdisc_destroy()` [b] * `__qdisc_destroy()`: `ingress_destroy()` [c] * `tcx_entry_free()`: `kfree_rcu()` // tcx_entry freed There are other variants, the core idea is to add an ingress qdisc with a specific shared block, then replace it, waiting for the tcx_entry to be freed and subsequently accessing the current active qdisc’s miniq. The correct fix is to change the `miniq_active` boolean to a counter. The counter transitions from 0 to 1, then from 1 to 2, and finally from 2 to 0, effectively releasing the tcx_entry. This resolves the UAF by turning the counter into a counter, ensuring the tcx_entry is freed at the correct time.

Vettore di attacco

Riferimenti esterni

• https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a
• https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857
• https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e

Prodotti interessati

• Linux – Linux
• Linux – Linux

Relazioni con altri prodotti

Produttore:Linux
Prodotto: Linux
Anno: 2024
CWE:
CVSS: 0.0