1.4 KiB
CVE-2021-47125
Description
In the Linux kernel, the following vulnerability has been resolved:sch_htb: fix refcount leak in htb_parent_to_leaf_offloadThe commit ae81feb7338c ("sch_htb: fix null pointer dereferenceon a null new_q") fixes a NULL pointer dereference bug, but itis not correct.Because htb_graft_helper properly handles the case when new_qis NULL, and after the previous patch by skipping this callwhich creates an inconsistency : dev_queue->qdisc will stillpoint to the old qdisc, but cl->parent->leaf.q will point tothe new one (which will be noop_qdisc, because new_q was NULL).The code is based on an assumption that these two pointers arethe same, so it can lead to refcount leaks.The correct fix is to add a NULL pointer check to protectqdisc_refcount_inc inside htb_parent_to_leaf_offload.
POC
Reference
No PoCs from references.