In the Linux kernel, the following vulnerability has been resolved:
sch/netem: fix use after free in netem_dequeue
If netemdequeue() enqueues packet to inner qdisc and that qdisc returns _NETXMITSTOLEN. The packet is dropped but qdisctreereduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails")
Commands to trigger KASAN UaF:
ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF
{ "vanir_signatures": [ { "id": "CVE-2024-46800-4d622ca9", "signature_type": "Line", "target": { "file": "net/sched/sch_netem.c" }, "deprecated": false, "digest": { "line_hashes": [ "120050562459328126446355296736737206002", "32491427887693962468852886030201439537", "68445878119359489335769510984582849256", "334545384258692314413426639099205653887", "269456757674049671539781361654874419174", "29093621668446002967440671922448986666", "136748962077625753616410928781369957220", "29914297356343616780041956409074578362" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db2c235682913a63054e741fe4e19645fdf2d68e" }, { "id": "CVE-2024-46800-80b2c069", "signature_type": "Line", "target": { "file": "net/sched/sch_netem.c" }, "deprecated": false, "digest": { "line_hashes": [ "120050562459328126446355296736737206002", "32491427887693962468852886030201439537", "68445878119359489335769510984582849256", "334545384258692314413426639099205653887", "269456757674049671539781361654874419174", "29093621668446002967440671922448986666", "136748962077625753616410928781369957220", "29914297356343616780041956409074578362" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@295ad5afd9efc5f67b86c64fce28fb94e26dc4c9" }, { "id": "CVE-2024-46800-b1be14c4", "signature_type": "Function", "target": { "file": "net/sched/sch_netem.c", "function": "netem_dequeue" }, "deprecated": false, "digest": { "length": 1469.0, "function_hash": "98578620970665628643873110731531480349" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@14f91ab8d391f249b845916820a56f42cf747241" }, { "id": "CVE-2024-46800-ba0cecaf", "signature_type": "Line", "target": { "file": "net/sched/sch_netem.c" }, "deprecated": false, "digest": { "line_hashes": [ "120050562459328126446355296736737206002", "32491427887693962468852886030201439537", "68445878119359489335769510984582849256", "334545384258692314413426639099205653887", "269456757674049671539781361654874419174", "29093621668446002967440671922448986666", "136748962077625753616410928781369957220", "29914297356343616780041956409074578362" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@14f91ab8d391f249b845916820a56f42cf747241" }, { "id": "CVE-2024-46800-c6f29f1a", "signature_type": "Line", "target": { "file": "net/sched/sch_netem.c" }, "deprecated": false, "digest": { "line_hashes": [ "120050562459328126446355296736737206002", "32491427887693962468852886030201439537", "68445878119359489335769510984582849256", "334545384258692314413426639099205653887", "269456757674049671539781361654874419174", "29093621668446002967440671922448986666", "136748962077625753616410928781369957220", "29914297356343616780041956409074578362" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0bddb4de043399f16d1969dad5ee5b984a64e7b" }, { "id": "CVE-2024-46800-c7dd72ee", "signature_type": "Function", "target": { "file": "net/sched/sch_netem.c", "function": "netem_dequeue" }, "deprecated": false, "digest": { "length": 1469.0, "function_hash": "98578620970665628643873110731531480349" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db2c235682913a63054e741fe4e19645fdf2d68e" }, { "id": "CVE-2024-46800-ca1af62e", "signature_type": "Function", "target": { "file": "net/sched/sch_netem.c", "function": "netem_dequeue" }, "deprecated": false, "digest": { "length": 1469.0, "function_hash": "98578620970665628643873110731531480349" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@295ad5afd9efc5f67b86c64fce28fb94e26dc4c9" }, { "id": "CVE-2024-46800-efc9942f", "signature_type": "Function", "target": { "file": "net/sched/sch_netem.c", "function": "netem_dequeue" }, "deprecated": false, "digest": { "length": 1641.0, "function_hash": "320070336494883885396007878396200359" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0bddb4de043399f16d1969dad5ee5b984a64e7b" } ] }