{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-41010","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.610Z","datePublished":"2024-07-17T06:10:12.051Z","dateUpdated":"2025-05-04T09:20:01.728Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:20:01.728Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix too early release of tcx_entry\n\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\nan issue that the tcx_entry can be released too early leading to a use\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\nshared tc block is later replaced by another ingress or clsact instance.\n\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\n\n  1. A network namespace is created\n  2. An ingress qdisc is created. This allocates a tcx_entry, and\n     &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the\n     same time, a tcf block with index 1 is created.\n  3. chain0 is attached to the tcf block. chain0 must be connected to\n     the block linked to the ingress qdisc to later reach the function\n     tcf_chain0_head_change_cb_del() which triggers the UAF.\n  4. Create and graft a clsact qdisc. This causes the ingress qdisc\n     created in step 1 to be removed, thus freeing the previously linked\n     tcx_entry:\n\n     rtnetlink_rcv_msg()\n       => tc_modify_qdisc()\n         => qdisc_create()\n           => clsact_init() [a]\n         => qdisc_graft()\n           => qdisc_destroy()\n             => __qdisc_destroy()\n               => ingress_destroy() [b]\n                 => tcx_entry_free()\n                   => kfree_rcu() // tcx_entry freed\n\n  5. Finally, the network namespace is closed. This registers the\n     cleanup_net worker, and during the process of releasing the\n     remaining clsact qdisc, it accesses the tcx_entry that was\n     already freed in step 4, causing the UAF to occur:\n\n     cleanup_net()\n       => ops_exit_list()\n         => default_device_exit_batch()\n           => unregister_netdevice_many()\n             => unregister_netdevice_many_notify()\n               => dev_shutdown()\n                 => qdisc_put()\n                   => clsact_destroy() [c]\n                     => tcf_block_put_ext()\n                       => tcf_chain0_head_change_cb_del()\n                         => tcf_chain_head_change_item()\n                           => clsact_chain_head_change()\n                             => mini_qdisc_pair_swap() // UAF\n\nThere are also other variants, the gist is to add an ingress (or clsact)\nqdisc with a specific shared block, then to replace that qdisc, waiting\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\nthe current active qdisc's miniq one way or another.\n\nThe correct fix is to turn the miniq_active boolean into a counter. What\ncan be observed, at step 2 above, the counter transitions from 0->1, at\nstep [a] from 1->2 (in order for the miniq object to remain active during\nthe replacement), then in [b] from 2->1 and finally [c] 1->0 with the\neventual release. The reference counter in general ranges from [0,2] and\nit does not need to be atomic since all access to the counter is protected\nby the rtnl mutex. With this in place, there is no longer a UAF happening\nand the tcx_entry is freed at the correct time."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/tcx.h","net/sched/sch_ingress.c"],"versions":[{"version":"e420bed025071a623d2720a92bc2245c84757ecb","lessThan":"230bb13650b0f186f540500fd5f5f7096a822a2a","status":"affected","versionType":"git"},{"version":"e420bed025071a623d2720a92bc2245c84757ecb","lessThan":"f61ecf1bd5b562ebfd7d430ccb31619857e80857","status":"affected","versionType":"git"},{"version":"e420bed025071a623d2720a92bc2245c84757ecb","lessThan":"1cb6f0bae50441f4b4b32a28315853b279c7404e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/tcx.h","net/sched/sch_ingress.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.6.41","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.10","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.41"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.9.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a"},{"url":"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857"},{"url":"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e"}],"title":"bpf: Fix too early release of tcx_entry","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:39:55.990Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-41010","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:25:09.492833Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:06.652Z"}}]}}