CVE-2021-47125
sch_htb: fix refcount leak in htb_parent_to_leaf_offload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
sch_htb: fix refcount leak in htb_parent_to_leaf_offload
The commit ae81feb7338c ("sch_htb: fix null pointer dereference
on a null new_q") fixes a NULL pointer dereference bug, but it
is not correct.
Because htb_graft_helper properly handles the case when new_q
is NULL, and after the previous patch by skipping this call
which creates an inconsistency : dev_queue->qdisc will still
point to the old qdisc, but cl->parent->leaf.q will point to
the new one (which will be noop_qdisc, because new_q was NULL).
The code is based on an assumption that these two pointers are
the same, so it can lead to refcount leaks.
The correct fix is to add a NULL pointer check to protect
qdisc_refcount_inc inside htb_parent_to_leaf_offload.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sch_htb: corrige la fuga de recuento en htb_parent_to_leaf_offload el commit ae81feb7338c ("sch_htb: corrige la desreferencia del puntero nulo en un new_q nulo") corrige un error de desreferencia del puntero NULL, pero no es correcto. Debido a que htb_graft_helper maneja adecuadamente el caso cuando new_q es NULL, y después del parche anterior al omitir esta llamada, se crea una inconsistencia: dev_queue->qdisc seguirá apuntando a la qdisc anterior, pero cl->parent->leaf.q apuntará a el nuevo (que será noop_qdisc, porque new_q era NULL). El código se basa en la suposición de que estos dos indicadores son iguales, por lo que puede provocar fugas de recuento. La solución correcta es agregar una verificación de puntero NULL para proteger qdisc_refcount_inc dentro de htb_parent_to_leaf_offload.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-04 CVE Reserved
- 2024-03-15 CVE Published
- 2024-03-16 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/ae81feb7338c89cee4e6aa0424bdab2ce2b52da2 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://git.kernel.org/stable/c/2411c02d03892a5057499f8102d0cc1e0f852416 | 2021-06-10 | |
https://git.kernel.org/stable/c/944d671d5faa0d78980a3da5c0f04960ef1ad893 | 2021-06-04 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 5.12.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.12.10" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.13" | en |
Affected
|