Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: fix divide by zero in the offload path Offloading ETS requires computing each class' WRR weight: this is done by averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned int, the same integer size as the individual DRR quanta, can overflow and even cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Call Trace: ets_qdisc_change+0x870/0xf40 [sch_ets] qdisc_create+0x12b/0x540 tc_modify_qdisc+0x6d7/0xbd0 rtnetlink_rcv_msg+0x168/0x6b0 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x1d6/0x2b0 netlink_sendmsg+0x22e/0x470 ____sys_sendmsg+0x38a/0x3c0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x111/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f440b81c77e Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 Modules linked in: sch_ets(E) netdevsim(E) ---[ end trace 0000000000000000 ]--- RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 rpm rhel8 | | - | - |
 debian 13 | | =6.12.38-1 || =6.12.41-1 || =6.12.43-1 || =6.12.43-1~bpo12+1 || =6.12.48-1 || =6.12.57-1 || =6.12.57-1~bpo12+1 || =6.12.63-1 || =6.12.63-1~bpo12+1 || =6.12.69-1 || =6.12.69-1~bpo12+1 || =6.12.73-1 || =6.12.73-1~bpo12+1 || =6.12.74-1 || =6.12.74-2 || =6.12.74-2~bpo12+1 || =6.12.85-1~bpo12+1 || >=0 <6.12.85-1 | 6.12.85-1 |
rpm rhel9 | | - | - |
debian 14 | | =6.12.38-1 || =6.12.41-1 || =6.12.43-1 || =6.12.43-1~bpo12+1 || =6.12.48-1 || =6.12.57-1 || =6.12.57-1~bpo12+1 || =6.12.63-1 || =6.12.63-1~bpo12+1 || =6.12.69-1 || =6.12.69-1~bpo12+1 || =6.12.73-1 || =6.12.73-1~bpo12+1 || =6.12.74-1 || =6.12.74-2 || =6.12.74-2~bpo12+1 || =6.12.85-1 || =6.12.85-1~bpo12+1 || =6.12.86-1 || =6.12.86-1~bpo12+1 || =6.12.88-1 || =6.12.88-1~bpo12+1 || =6.12.90-1 || =6.12.90-1~bpo12+1 || =6.12.90-2 || =6.13.10-1~exp1 || =6.13.11-1~exp1 || =6.13.2-1~exp1 || =6.13.3-1~exp1 || =6.13.4-1~exp1 || =6.13.5-1~exp1 || =6.13.6-1~exp1 || =6.13.7-1~exp1 || =6.13.8-1~exp1 || =6.13.9-1~exp1 || =6.13~rc6-1~exp1 || =6.13~rc7-1~exp1 || =6.14.3-1~exp1 || =6.14.5-1~exp1 || =6.14.6-1~exp1 || =6.15-1~exp1 || =6.15.1-1~exp1 || =6.15.2-1~exp1 || =6.15.3-1~exp1 || =6.15.4-1~exp1 || =6.15.5-1~exp1 || =6.15.6-1~exp1 || =6.15~rc7-1~exp1 || =6.16-1~exp1 || =6.16.1-1~exp1 || =6.16.10-1 || =6.16.11-1 || =6.16.12-1 || =6.16.12-1~bpo13+1 || =6.16.12-2 || =6.16.3-1 || =6.16.3-1~bpo13+1 || =6.16.5-1 || =6.16.6-1 || =6.16.7-1 || =6.16.8-1 || =6.16.9-1 || =6.16~rc7-1~exp1 || =6.17.10-1 || =6.17.11-1 || =6.17.12-1 || =6.17.13-1 || =6.17.13-1~bpo13+1 || =6.17.2-1~exp1 || =6.17.5-1~exp1 || =6.17.6-1 || =6.17.7-1 || =6.17.7-2 || =6.17.8-1 || =6.17.8-1~bpo13+1 || =6.17.9-1 || =6.18.1-1~exp1 || =6.18.10-1 || =6.18.12-1 || =6.18.12-1~bpo13+1 || =6.18.13-1 || =6.18.14-1 || =6.18.15-1 || =6.18.15-1~bpo13+1 || =6.18.2-1~exp1 || =6.18.3-1 || =6.18.5-1 || =6.18.5-1~bpo13+1 || =6.18.8-1 || =6.18.9-1 || =6.18.9-1~bpo13+1 || =6.18~rc4-1~exp1 || =6.18~rc4-1~exp2 || =6.18~rc5-1~exp1 || =6.18~rc6-1~exp1 || =6.18~rc7-1~exp1 || =6.19-1~exp1 || =6.19.2-1~exp1 || =6.19.3-1~exp1 || =6.19.4-1~exp1 || =6.19.5-1~exp1 || =6.19.6-1 || =6.19.6-2 || =6.19.6-2~bpo13+1 || =6.19.8-1~bpo13+1 || =6.19~rc4-1~exp1 || =6.19~rc5-1~exp1 || =6.19~rc6-1~exp1 || =6.19~rc7-1~exp1 || =6.19~rc8-1~exp1 || >=0 <6.19.8-1 | 6.19.8-1 |
debian 11 | | =5.10.103-1 || =5.10.103-1~bpo10+1 || =5.10.106-1 || =5.10.113-1 || =5.10.120-1 || =5.10.120-1~bpo10+1 || =5.10.127-1 || =5.10.127-2 || =5.10.127-2~bpo10+1 || =5.10.136-1 || =5.10.140-1 || =5.10.148-1 || =5.10.149-1 || =5.10.149-2 || =5.10.158-1 || =5.10.158-2 || =5.10.162-1 || =5.10.178-1 || =5.10.178-2 || =5.10.178-3 || =5.10.179-1 || =5.10.179-2 || =5.10.179-3 || =5.10.179-4 || =5.10.179-5 || =5.10.191-1 || =5.10.197-1 || =5.10.205-1 || =5.10.205-2 || =5.10.209-1 || =5.10.209-2 || =5.10.216-1 || =5.10.218-1 || =5.10.221-1 || =5.10.223-1 || =5.10.226-1 || =5.10.234-1 || =5.10.237-1 || =5.10.244-1 || =5.10.247-1 || =5.10.249-1 || =5.10.251-1 || =5.10.251-3 || =5.10.251-4 || =5.10.251-5 || =5.10.46-4 || =5.10.46-5 || =5.10.70-1 || =5.10.70-1~bpo10+1 || =5.10.84-1 || =5.10.92-1 || =5.10.92-1~bpo10+1 || =5.10.92-2 || >=0 <5.10.257-1 | 5.10.257-1 |
debian 12 | | =6.1.106-1 || =6.1.106-2 || =6.1.106-3 || =6.1.112-1 || =6.1.115-1 || =6.1.119-1 || =6.1.123-1 || =6.1.124-1 || =6.1.128-1 || =6.1.129-1 || =6.1.133-1 || =6.1.135-1 || =6.1.137-1 || =6.1.139-1 || =6.1.140-1 || =6.1.147-1 || =6.1.148-1 || =6.1.153-1 || =6.1.158-1 || =6.1.159-1 || =6.1.162-1 || =6.1.164-1 || =6.1.27-1 || =6.1.37-1 || =6.1.38-1 || =6.1.38-2 || =6.1.38-2~bpo11+1 || =6.1.38-3 || =6.1.38-4 || =6.1.38-4~bpo11+1 || =6.1.52-1 || =6.1.55-1 || =6.1.55-1~bpo11+1 || =6.1.64-1 || =6.1.66-1 || =6.1.67-1 || =6.1.69-1 || =6.1.69-1~bpo11+1 || =6.1.76-1 || =6.1.76-1~bpo11+1 || =6.1.82-1 || =6.1.85-1 || =6.1.90-1 || =6.1.90-1~bpo11+1 || =6.1.94-1 || =6.1.94-1~bpo11+1 || =6.1.98-1 || =6.1.99-1 || >=0 <6.1.170-1 | 6.1.170-1 |
rpm rhel10 | | - | - |
rpm rhel9 | | - | - |
rpm rhel8 | | - | - |
debian 11 | | =6.1.106-3~deb11u1 || =6.1.106-3~deb11u2 || =6.1.106-3~deb11u3 || =6.1.112-1~deb11u1 || =6.1.119-1~deb11u1 || =6.1.128-1~deb11u1 || =6.1.129-1~deb11u1 || =6.1.137-1~deb11u1 || =6.1.140-1~deb11u1 || =6.1.147-1~deb11u1 || =6.1.148-1~deb11u1 || =6.1.153-1~deb11u1 || =6.1.158-1~deb11u1 || =6.1.159-1~deb11u1 || =6.1.162-1~deb11u1 || =6.1.164-1~deb11u1 || >=0 <6.1.170-1~deb11u1 | 6.1.170-1~deb11u1 |
