// For flags

CVE-2021-47125

sch_htb: fix refcount leak in htb_parent_to_leaf_offload

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

sch_htb: fix refcount leak in htb_parent_to_leaf_offload

The commit ae81feb7338c ("sch_htb: fix null pointer dereference
on a null new_q") fixes a NULL pointer dereference bug, but it
is not correct.

Because htb_graft_helper properly handles the case when new_q
is NULL, and after the previous patch by skipping this call
which creates an inconsistency : dev_queue->qdisc will still
point to the old qdisc, but cl->parent->leaf.q will point to
the new one (which will be noop_qdisc, because new_q was NULL).
The code is based on an assumption that these two pointers are
the same, so it can lead to refcount leaks.

The correct fix is to add a NULL pointer check to protect
qdisc_refcount_inc inside htb_parent_to_leaf_offload.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sch_htb: corrige la fuga de recuento en htb_parent_to_leaf_offload el commit ae81feb7338c ("sch_htb: corrige la desreferencia del puntero nulo en un new_q nulo") corrige un error de desreferencia del puntero NULL, pero no es correcto. Debido a que htb_graft_helper maneja adecuadamente el caso cuando new_q es NULL, y después del parche anterior al omitir esta llamada, se crea una inconsistencia: dev_queue->qdisc seguirá apuntando a la qdisc anterior, pero cl->parent->leaf.q apuntará a el nuevo (que será noop_qdisc, porque new_q era NULL). El código se basa en la suposición de que estos dos indicadores son iguales, por lo que puede provocar fugas de recuento. La solución correcta es agregar una verificación de puntero NULL para proteger qdisc_refcount_inc dentro de htb_parent_to_leaf_offload.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-03-04 CVE Reserved
  • 2024-03-15 CVE Published
  • 2024-03-16 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.12 < 5.12.10
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.12.10"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.12 < 5.13
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.13"
en
Affected