CVE-2021-47125

Summary

In the Linux kernel, the following vulnerability has been resolved:

sch_htb: fix refcount leak in htb_parent_to_leaf_offload

The commit ae81feb7338c ("sch_htb: fix null pointer dereference on a null new_q") fixes a NULL pointer dereference bug, but it is not correct.

Because htb_graft_helper properly handles the case when new_q is NULL, and after the previous patch by skipping this call which creates an inconsistency : dev_queue->qdisc will still point to the old qdisc, but cl->parent->leaf.q will point to the new one (which will be noop_qdisc, because new_q was NULL). The code is based on an assumption that these two pointers are the same, so it can lead to refcount leaks.

The correct fix is to add a NULL pointer check to protect qdisc_refcount_inc inside htb_parent_to_leaf_offload.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxae81feb7338c89cee4e6aa0424bdab2ce2b52da2 < 2411c02d03892a5057499f8102d0cc1e0f852416affected
LinuxLinuxae81feb7338c89cee4e6aa0424bdab2ce2b52da2 < 944d671d5faa0d78980a3da5c0f04960ef1ad893affected
LinuxLinux5.12affected
LinuxLinux0 < 5.12unaffected
LinuxLinux5.12.10 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References