In the Linux kernel, the following vulnerability has been resolved:
net/sched: Fix mirred deadlock on device recursion When the mirred action
is used on a classful egress qdisc and a packet is mirrored or redirected
to self we hit a qdisc lock deadlock. See trace below. [… other info
removed for brevity…] [ 82.890906] [ 82.890906]
============================================ [ 82.890906] WARNING: possible
recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty
#213 Tainted: G W [ 82.890906] --------------------------------------------
[ 82.890906] ping/418 is trying to acquire lock: [ 82.890906]
ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:
__dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is
already holding lock: [ 82.890906] ffff888006994110
(&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906]
[ 82.890906] other info that might help us debug this: [ 82.890906]
Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [
82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906]
lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK*** [ 82.890906]
[… other info removed for brevity…] Example setup (eth0->eth0) to
recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add
dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress
redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc
add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1:
protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc
qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1
handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev
eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set
after root qdisc is entered. When the softirq enters it a second time, if
the qdisc owner is the same CPU, the packet is dropped to break the loop.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/0f022d32c3eca477fbf79a205243a6123ed0fe11 (6.9-rc5)
git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11
git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef
launchpad.net/bugs/cve/CVE-2024-27010
nvd.nist.gov/vuln/detail/CVE-2024-27010
security-tracker.debian.org/tracker/CVE-2024-27010
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-27010