CVE-2024-50039

ULN >
Oracle Linux CVE repository >
CVE-2024-50039

CVE Details

Release Date:

2024-10-21

Description

In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: accept TCA_STAB only for root qdisc\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\nWe can't support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n[1]\n[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 88.798611] #PF: supervisor read access in kernel mode\n[ 88.799014] #PF: error_code(0x0000) - not-present page\n[ 88.799506] PGD 0 P4D 0\n[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n0:0f b7 50 12 movzwl 0x12(%rax),%edx\n4:48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax\nb:00\nc:48 89 d6 mov %rdx,%rsi\nf:48 29 d0 sub %rdx,%rax\n12:48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx\n19:48 c1 e0 03 shl /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x3,%rax\n1d:48 01 c2 add %rax,%rdx\n20:66 83 7a 1a 00 cmpw /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x0,0x1a(%rdx)\n25:7e c0 jle 0xffffffffffffffe7\n27:48 8b 3a mov (%rdx),%rdi\n2a:*4c 8b 07 mov (%rdi),%r8<-- trapping instruction\n2d:4c 89 02 mov %r8,(%rdx)\n30:49 89 50 08 mov %rdx,0x8(%r8)\n34:48 c7 47 08 00 00 00 movq /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x0,0x8(%rdi)\n3b:00\n3c:48 rex.W\n3d:c7 .byte 0xc7\n3e:07 (bad)\n...\nCode starting with the faulting instruction\n===========================================\n0:4c 8b 07 mov (%rdi),%r8\n3:4c 89 02 mov %r8,(%rdx)\n6:49 89 50 08 mov %rdx,0x8(%r8)\na:48 c7 47 08 00 00 00 movq /u03/ksharma/errata_processing/work/el9/cve_9.ELSA-2024-12887x0,0x8(%rdi)\n11:00\n12:48 rex.W\n13:c7 .byte 0xc7\n14:07 (bad)\n...\n[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[ 88.808165] Call Trace:\n[ 88.808459] \n[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---

See more information about CVE-2024-50039 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

Oracle customers - enter a support request
Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691