{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53057", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-11-19T17:17:24.974Z", "datePublished": "2024-11-19T17:19:40.284Z", "dateUpdated": "2024-12-19T09:38:09.155Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:38:09.155Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_api.c"], "versions": [{"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "e7f9a6f97eb067599a74f3bcb6761976b0ed303e", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "ce691c814bc7a3c30c220ffb5b7422715458fd9b", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "05df1b1dff8f197f1c275b57ccb2ca33021df552", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "580b3189c1972aff0f993837567d36392e9d981b", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "597cf9748c3477bf61bc35f0634129f56764ad24", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "9995909615c3431a5304c1210face5f268d24dba", "status": "affected", "versionType": "git"}, {"version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "2e95c4384438adeaa772caa560244b1a2efef816", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_api.c"], "versions": [{"version": "2.6.25", "status": "affected"}, {"version": "0", "lessThan": "2.6.25", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.323", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.285", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.229", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.171", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.116", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.60", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.7", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"}, {"url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"}, {"url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"}, {"url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"}, {"url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"}, {"url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"}, {"url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"}, {"url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"}], "title": "net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-53057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-11T14:25:23.594430Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T14:58:31.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-53057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-11T14:25:23.594430Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-11T14:25:24.771Z"}}], "cna": {"title": "net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "e7f9a6f97eb067599a74f3bcb6761976b0ed303e", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "ce691c814bc7a3c30c220ffb5b7422715458fd9b", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "05df1b1dff8f197f1c275b57ccb2ca33021df552", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "580b3189c1972aff0f993837567d36392e9d981b", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "597cf9748c3477bf61bc35f0634129f56764ad24", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "9995909615c3431a5304c1210face5f268d24dba", "versionType": "git"}, {"status": "affected", "version": "066a3b5b2346febf9a655b444567b7138e3bb939", "lessThan": "2e95c4384438adeaa772caa560244b1a2efef816", "versionType": "git"}], "programFiles": ["net/sched/sch_api.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.25"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.25", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.323", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.285", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.229", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.171", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.116", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.60", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.11.7", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/sched/sch_api.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"}, {"url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"}, {"url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"}, {"url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"}, {"url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"}, {"url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"}, {"url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"}, {"url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:38:09.155Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53057", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:38:09.155Z", "dateReserved": "2024-11-19T17:17:24.974Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-11-19T17:19:40.284Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC1BB872-C9E6-412A-A696-AAF936DC97C5", "versionEndExcluding": "4.19.323", "versionStartIncluding": "2.6.25", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5A89369-320F-47FC-8695-56F61F87E4C0", "versionEndExcluding": "5.4.285", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A03CABE-9B43-4E7F-951F-10DEEADAA426", "versionEndExcluding": "5.10.229", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BE18665-48ED-417A-90AA-41F3AC0B4E9A", "versionEndExcluding": "5.15.171", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "43EFDC15-E4D4-4F1E-B70D-62F0854BFDF3", "versionEndExcluding": "6.1.116", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "75088E5E-2400-4D20-915F-7A65C55D9CCD", "versionEndExcluding": "6.6.60", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E96F53A4-5E87-4A70-BD9A-BC327828D57F", "versionEndExcluding": "6.11.7", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: stop qdisc_tree_reduce_backlog en TC_H_ROOT En qdisc_tree_reduce_backlog, se supone que las Qdisc con el identificador principal ffff: son ra\u00edz o de entrada. Esta suposici\u00f3n es falsa ya que es v\u00e1lido crear qdiscs de salida con el identificador principal ffff: Budimir Markovic descubri\u00f3 que para las qdisc como DRR que mantienen una lista de clases activa, provocar\u00e1 un UAF con un puntero de clase colgante. En 066a3b5b2346, la preocupaci\u00f3n era evitar iterar sobre la qdisc de entrada ya que su padre es ella misma. La soluci\u00f3n adecuada es detener cuando se alcanza el padre TC_H_ROOT porque la \u00fanica forma de recuperar la entrada es cuando una jerarqu\u00eda que no contiene un identificador principal ffff: llama a qdisc_lookup con TC_H_MAJ(TC_H_ROOT). En el escenario donde el ffff principal es una qdisc de salida en cualquiera de los niveles del \u00e1rbol, las actualizaciones tambi\u00e9n se propagar\u00e1n a TC_H_ROOT, donde luego la iteraci\u00f3n debe detenerse. net/sched/sch_api.c | 2 +- 1 archivo modificado, 1 inserci\u00f3n(+), 1 eliminaci\u00f3n(-)"}], "id": "CVE-2024-53057", "lastModified": "2024-12-11T15:15:17.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-19T18:15:25.700", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", "id": "2327344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327344"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\nnet/sched/sch_api.c | 2 +-\n1 file changed, 1 insertion(+), 1 deletion(-)", "A flaw was found in the packet scheduler API in the Linux kernel. An invalid assumption about qdiscs with major handle ffff allows qdiscs, such as DRR, that maintain an active class list to cause a use-after-free with a dangling class pointer."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-53057", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53057\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53057\nhttps://lore.kernel.org/linux-cve-announce/2024111928-CVE-2024-53057-a3a5@gregkh/T"], "statement": "This issue can only be exploited by an attacker with admin or root privileges, limiting the impact of this flaw. For this reason, this vulnerability has been rated with a Moderate severity.", "threat_severity": "Moderate"}