CVE-2024-57996: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.
AI Analysis
Technical Summary
CVE-2024-57996 is a vulnerability identified in the Linux kernel's network scheduler component, specifically within the sch_sfq (Stochastic Fairness Queueing) discipline. The flaw arises from improper handling of a packet limit set to 1 in the SFQ queue. The Linux kernel's SFQ implementation does not correctly enforce or handle a limit of one packet, leading to an out-of-bounds array access and a potential crash. This issue was initially reported by the syzkaller fuzzing tool, which detected an array-index-out-of-bounds error at line 210 in net/sched/sch_sfq.c. The root cause involves the interaction between the Token Bucket Filter (TBF) and SFQ queuing disciplines when the SFQ limit is set to 1. When packets are enqueued and dequeued under these conditions, the queue length (qlen) can underflow, and the internal queue tail pointer (q->tail) can become inconsistent, leading to an out-of-bounds access of the sfq_head array. This results in a kernel crash due to undefined behavior triggered by the invalid memory access. The vulnerability can be reproduced by configuring a dummy network interface with TBF and SFQ queuing disciplines, setting the SFQ limit to 1, and sending packets rapidly. The flaw is not mitigated by the iproute2 utility, which already checks for this condition, but the kernel itself lacked this validation until patched. The vulnerability affects Linux kernel versions prior to the patch that adds the necessary checks to prevent this condition. No known exploits are reported in the wild as of the publication date. The vulnerability does not require user interaction but does require the ability to configure network queuing disciplines or send crafted packets to a vulnerable system. The impact is primarily a denial-of-service (DoS) condition due to kernel crashes, which can affect system availability and stability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize the SFQ queuing discipline with specific configurations. The impact is a potential denial-of-service condition caused by kernel crashes, which can disrupt critical network services, especially in environments relying on Linux-based routers, firewalls, or network appliances. Organizations with infrastructure that allows unprivileged users or attackers to manipulate network queuing disciplines or send crafted packets to affected systems could face service interruptions. This could affect data centers, cloud providers, telecom operators, and enterprises with Linux-based networking equipment. The vulnerability does not directly lead to privilege escalation or data leakage but can degrade service availability, impacting business continuity and operational reliability. Given the widespread use of Linux in European IT infrastructure, especially in public sector, finance, and telecommunications, the disruption potential is significant if exploited in targeted attacks or misconfigurations. However, exploitation requires specific conditions and some level of system access or control over network configurations, limiting the attack surface to more privileged or exposed environments.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds validation to prevent SFQ limits of 1 and fixes the queue length underflow issue. Ensure all Linux systems are updated to a kernel version that includes this fix. 2. Audit network configurations to avoid setting SFQ queue limits to 1, and verify that iproute2 and related utilities are up to date to prevent misconfigurations. 3. Restrict access to network configuration utilities and interfaces to trusted administrators only, minimizing the risk of unauthorized manipulation of queuing disciplines. 4. Monitor kernel logs and system stability for signs of crashes related to network scheduling, which could indicate attempted exploitation or misconfiguration. 5. For critical systems, consider implementing network segmentation and filtering to limit exposure to crafted packets that could trigger the vulnerability. 6. Employ runtime security tools that can detect and prevent kernel memory corruption or out-of-bounds accesses as an additional layer of defense. 7. Engage in proactive vulnerability management and patch deployment processes to ensure timely remediation of kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-57996: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.
AI-Powered Analysis
Technical Analysis
CVE-2024-57996 is a vulnerability identified in the Linux kernel's network scheduler component, specifically within the sch_sfq (Stochastic Fairness Queueing) discipline. The flaw arises from improper handling of a packet limit set to 1 in the SFQ queue. The Linux kernel's SFQ implementation does not correctly enforce or handle a limit of one packet, leading to an out-of-bounds array access and a potential crash. This issue was initially reported by the syzkaller fuzzing tool, which detected an array-index-out-of-bounds error at line 210 in net/sched/sch_sfq.c. The root cause involves the interaction between the Token Bucket Filter (TBF) and SFQ queuing disciplines when the SFQ limit is set to 1. When packets are enqueued and dequeued under these conditions, the queue length (qlen) can underflow, and the internal queue tail pointer (q->tail) can become inconsistent, leading to an out-of-bounds access of the sfq_head array. This results in a kernel crash due to undefined behavior triggered by the invalid memory access. The vulnerability can be reproduced by configuring a dummy network interface with TBF and SFQ queuing disciplines, setting the SFQ limit to 1, and sending packets rapidly. The flaw is not mitigated by the iproute2 utility, which already checks for this condition, but the kernel itself lacked this validation until patched. The vulnerability affects Linux kernel versions prior to the patch that adds the necessary checks to prevent this condition. No known exploits are reported in the wild as of the publication date. The vulnerability does not require user interaction but does require the ability to configure network queuing disciplines or send crafted packets to a vulnerable system. The impact is primarily a denial-of-service (DoS) condition due to kernel crashes, which can affect system availability and stability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize the SFQ queuing discipline with specific configurations. The impact is a potential denial-of-service condition caused by kernel crashes, which can disrupt critical network services, especially in environments relying on Linux-based routers, firewalls, or network appliances. Organizations with infrastructure that allows unprivileged users or attackers to manipulate network queuing disciplines or send crafted packets to affected systems could face service interruptions. This could affect data centers, cloud providers, telecom operators, and enterprises with Linux-based networking equipment. The vulnerability does not directly lead to privilege escalation or data leakage but can degrade service availability, impacting business continuity and operational reliability. Given the widespread use of Linux in European IT infrastructure, especially in public sector, finance, and telecommunications, the disruption potential is significant if exploited in targeted attacks or misconfigurations. However, exploitation requires specific conditions and some level of system access or control over network configurations, limiting the attack surface to more privileged or exposed environments.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds validation to prevent SFQ limits of 1 and fixes the queue length underflow issue. Ensure all Linux systems are updated to a kernel version that includes this fix. 2. Audit network configurations to avoid setting SFQ queue limits to 1, and verify that iproute2 and related utilities are up to date to prevent misconfigurations. 3. Restrict access to network configuration utilities and interfaces to trusted administrators only, minimizing the risk of unauthorized manipulation of queuing disciplines. 4. Monitor kernel logs and system stability for signs of crashes related to network scheduling, which could indicate attempted exploitation or misconfiguration. 5. For critical systems, consider implementing network segmentation and filtering to limit exposure to crafted packets that could trigger the vulnerability. 6. Employ runtime security tools that can detect and prevent kernel memory corruption or out-of-bounds accesses as an additional layer of defense. 7. Engage in proactive vulnerability management and patch deployment processes to ensure timely remediation of kernel vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.914Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdec32
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:41:55 AM
Last updated: 8/17/2025, 4:54:40 PM
Views: 25
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.