-

CVE-2026-53080

net/sched: cls_fw: fix NULL dereference of "old" filters before change()

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL dereference of "old" filters before change()

Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:

 # ip link add dev crash0 type dummy
 # ip link set dev crash0 up
 # mausezahn  crash0 -c 100000 -P 10 \
 > -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
 # sleep 1
 # tc qdisc add dev crash0 egress_block 1 clsact
 # tc filter add block 1 protocol ip prio 1 matchall \
 > action skbedit mark 65536 continue
 # tc filter add block 1 protocol ip prio 2 fw
 # ip link del dev crash0

can still make fw_classify() hit the WARN_ON() in [2]:

 WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
 Modules linked in: cls_fw(E) act_skbedit(E)
 CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)
 Tainted: [E]=UNSIGNED_MODULE
 Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
 RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
 Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
 RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
 RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
 RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
 RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
 R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
 R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
 FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
 Call Trace:
  <TASK>
  tcf_classify+0x17d/0x5c0
  tc_run+0x9d/0x150
  __dev_queue_xmit+0x2ab/0x14d0
  ip_finish_output2+0x340/0x8f0
  ip_output+0xa4/0x250
  raw_sendmsg+0x147d/0x14b0
  __sys_sendto+0x1cc/0x1f0
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x126/0xf80
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7fca40e822ba
 Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
 RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
 RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
 RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
 R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
  </TASK>
 irq event stamp: 1045778
 hardirqs last  enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
 hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
 softirqs last  enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
 softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0

Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:

 BUG: kernel NULL  pointer dereference, address: 0000000000000038
 [...]
 RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
 [...]

Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.

[1] https://sashiko.dev/#/patchset/2
---truncated---
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < a719275da488835e987d28effc04679b4aace3a0
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < c205da704c84eeb4247d770150440294fd547049
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 5dcce34c57d5e5990869384d69deeb9414bf9b92
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 5df49f0579f7e625f2358a219d31fbc7621be799
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 41845bc5bb64f3d615abe575ad655b5e7f193634
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 4fabcfea7a9dd159df32c5df6587fe858cb0d748
Status affected
Version ed76f5edccc98fa66f2337f0b3b255d6e1a568b7
Version < 65782b2db7321d5f97c16718c4c7f6c7205a56be
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.1
Status affected
Version 0
Version < 5.1
Status unaffected
Version <= 5.10.*
Version 5.10.259
Status unaffected
Version <= 5.15.*
Version 5.15.210
Status unaffected
Version <= 6.1.*
Version 6.1.176
Status unaffected
Version <= 6.6.*
Version 6.6.143
Status unaffected
Version <= 6.12.*
Version 6.12.93
Status unaffected
Version <= 6.18.*
Version 6.18.35
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.068
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0
https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049
https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92
https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799
https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c
https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634
https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748
https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be