{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-50039","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.070Z","datePublished":"2024-10-21T19:39:39.115Z","dateUpdated":"2025-11-03T22:24:45.361Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:44:26.727Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: accept TCA_STAB only for root qdisc\n\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\n\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\n\nWe can't support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n\n[1]\n[   88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   88.798611] #PF: supervisor read access in kernel mode\n[   88.799014] #PF: error_code(0x0000) - not-present page\n[   88.799506] PGD 0 P4D 0\n[   88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[   88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[   88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n   0:\t0f b7 50 12          \tmovzwl 0x12(%rax),%edx\n   4:\t48 8d 04 d5 00 00 00 \tlea    0x0(,%rdx,8),%rax\n   b:\t00\n   c:\t48 89 d6             \tmov    %rdx,%rsi\n   f:\t48 29 d0             \tsub    %rdx,%rax\n  12:\t48 8b 91 c0 01 00 00 \tmov    0x1c0(%rcx),%rdx\n  19:\t48 c1 e0 03          \tshl    $0x3,%rax\n  1d:\t48 01 c2             \tadd    %rax,%rdx\n  20:\t66 83 7a 1a 00       \tcmpw   $0x0,0x1a(%rdx)\n  25:\t7e c0                \tjle    0xffffffffffffffe7\n  27:\t48 8b 3a             \tmov    (%rdx),%rdi\n  2a:*\t4c 8b 07             \tmov    (%rdi),%r8\t\t<-- trapping instruction\n  2d:\t4c 89 02             \tmov    %r8,(%rdx)\n  30:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n  34:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  3b:\t00\n  3c:\t48                   \trex.W\n  3d:\tc7                   \t.byte 0xc7\n  3e:\t07                   \t(bad)\n\t...\n\nCode starting with the faulting instruction\n===========================================\n   0:\t4c 8b 07             \tmov    (%rdi),%r8\n   3:\t4c 89 02             \tmov    %r8,(%rdx)\n   6:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n   a:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  11:\t00\n  12:\t48                   \trex.W\n  13:\tc7                   \t.byte 0xc7\n  14:\t07                   \t(bad)\n\t...\n[   88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[   88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[   88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[   88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[   88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[   88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[   88.806734] FS:  00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[   88.807225] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[   88.808165] Call Trace:\n[   88.808459]  <TASK>\n[   88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[   88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[   88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[   88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[   88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[   88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[   88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sch_generic.h","net/sched/sch_api.c"],"versions":[{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"2acbb9539bc2284e30d2aeb789c3d96287014264","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"adbc3eef43fc94c7c8436da832691ae02333a972","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"8fb6503592d39065316f45d267c5527b4e7cd995","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"76feedc74b90270390fbfdf74a2e944e96872363","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"1edf039ee01788ffc25625fe58a903ae2efa213e","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"3dc6ee96473cc2962c6db4297d4631f261be150f","status":"affected","versionType":"git"},{"version":"175f9c1bba9b825d22b142d183c9e175488b260c","lessThan":"3cb7cf1540ddff5473d6baeb530228d19bc97b8a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sch_generic.h","net/sched/sch_api.c"],"versions":[{"version":"2.6.27","status":"affected"},{"version":"0","lessThan":"2.6.27","status":"unaffected","versionType":"semver"},{"version":"5.4.285","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.227","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.168","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.113","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.57","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.4","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.4.285"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.10.227"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.15.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.1.113"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.6.57"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.11.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264"},{"url":"https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972"},{"url":"https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995"},{"url":"https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363"},{"url":"https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e"},{"url":"https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f"},{"url":"https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a"}],"title":"net/sched: accept TCA_STAB only for root qdisc","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-50039","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:25:02.696853Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:28:44.508Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:24:45.361Z"}}]}}