Ubuntu: (Multiple Advisories) (CVE-2024-27010): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-27010): Linux kernel vulnerabilities

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

05/01/2024

Created

07/12/2024

Added

07/12/2024

Modified

01/28/2025

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: GW [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906]Possible unsafe locking scenario: [ 82.890906] [ 82.890906]CPU0 [ 82.890906]---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906]*** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop.

Solution(s)

• ubuntu-upgrade-linux-image-6-8-0-1006-gke
• ubuntu-upgrade-linux-image-6-8-0-1007-intel
• ubuntu-upgrade-linux-image-6-8-0-1007-raspi
• ubuntu-upgrade-linux-image-6-8-0-1008-ibm
• ubuntu-upgrade-linux-image-6-8-0-1008-oem
• ubuntu-upgrade-linux-image-6-8-0-1008-oracle
• ubuntu-upgrade-linux-image-6-8-0-1008-oracle-64k
• ubuntu-upgrade-linux-image-6-8-0-1009-nvidia
• ubuntu-upgrade-linux-image-6-8-0-1009-nvidia-64k
• ubuntu-upgrade-linux-image-6-8-0-1010-azure
• ubuntu-upgrade-linux-image-6-8-0-1010-azure-fde
• ubuntu-upgrade-linux-image-6-8-0-1010-gcp
• ubuntu-upgrade-linux-image-6-8-0-1011-aws
• ubuntu-upgrade-linux-image-6-8-0-38-generic
• ubuntu-upgrade-linux-image-6-8-0-38-generic-64k
• ubuntu-upgrade-linux-image-6-8-0-38-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-38-lowlatency-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-fde
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
• ubuntu-upgrade-linux-image-generic-hwe-24-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-ibm-classic
• ubuntu-upgrade-linux-image-ibm-lts-24-04
• ubuntu-upgrade-linux-image-intel
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-64k
• ubuntu-upgrade-linux-image-oem-24-04
• ubuntu-upgrade-linux-image-oem-24-04a
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-64k
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

• https://attackerkb.com/topics/cve-2024-27010
• CVE - 2024-27010
• USN-6893-1
• USN-6893-2
• USN-6893-3
• USN-6918-1