Bug 2261974 (CVE-2021-33630)

Summary: CVE-2021-33630 kernel: net/sched: cbs NULL pointer dereference when offloading is enabled
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ajmitchell, allarkin, anprice, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.4-rc1 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the Linux kernel's network scheduler. This issue occurs when offloading is enabled, the cbs instance is not added to the list. The code also incorrectly handles the case when offload is disabled without removing the qdisc. This could allow a local user to cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2261978    

Description Mauro Matteo Cascella 2024-01-30 16:55:37 UTC 
A flaw was found in the network scheduler in the Linux kernel. The problem happens because when offloading is enabled, the cbs instance is not added to the list. Also, the code didn't handle correctly the case when offload is disabled without removing the qdisc. This could lead to a NULL pointer dereference issue.

Upstream commit:
https://github.com/torvalds/linux/commit/3e8b9bfa110896f95d602d8c98d5f9d67e41d78c

References:
https://www.openwall.com/lists/oss-security/2024/01/30/3
https://nvd.nist.gov/vuln/detail/CVE-2021-33630
Comment 3 Mauro Matteo Cascella 2024-01-31 09:14:13 UTC 
This CVE was fixed upstream in kernel version 5.4. The kernel packages as shipped in Red Hat Enterprise Linux 8 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2020:1769

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2020:1567