CVE-2023-1281: Use After Free Vulnerability in Linux Kernel Traffic Control Index Filter (tcindex) Allows Privilege Escalation

A recently discovered Use After Free vulnerability (CVE-2023-1281) has been found in the Linux kernel's traffic control index filter (tcindex). This vulnerability affects Linux Kernel versions 4.14 and earlier, prior to the git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. A local attacker can exploit this vulnerability to increase their privileges to the root level, which could lead to unauthorized access and control over the affected system.

Details

The issue lies within the "imperfect hash area" of the tcindex, which can be updated while packets are in the process of traversing. When the 'tcf_exts_exec()' function is executed, it causes a use-after-free scenario with the destroyed tcf_ext, which in turn, allows for privilege escalation.

Here's a code snippet showcasing the vulnerability

int tcindex_classify(struct sk_buff *skb, const struct tcf_proto *tp, struct tcf_result *res)
{
    struct tcindex_data *p = (struct tcindex_data *)rtnl_dereference(tp->root);
    struct tcindex_filter_result *f;
    struct tcf_exts e;
    u16 h;
    int r;

    h = tcindex_hash(p, skb);
    f = rtnl_dereference(p->perfect);
    tcf_exts_init(&e, NULL, NULL);

    if (!f || h >= p->alloc_hash) {
        f = tcindex_lookup_imperfect(p, h);
    } else {
        f = &f[h];
    }

    spin_lock(&p->lock);
    if (f && f->res.class) {
        *res = f->res;
        tcf_exts_copy_stats(&e, &f->exts);
    }
    spin_unlock(&p->lock);

    r = tcf_exts_exec(skb, &e, res);
    tcf_exts_destroy(&e);

    return r;
}

The problematic section in this code lies in the execution of the 'tcf_exts_exec()' function, which does not take into account the possibility of a destroyed 'tcf_ext'. This allows an attacker to potentially exploit this situation to achieve privilege escalation.

References

- Original Git Commit containing the fix for this vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1281

Exploit Details

To exploit this vulnerability, the attacker must have local access to the target system and be able to run malicious code. The attacker can craft a packet that triggers the use-after-free scenario when executing the 'tcf_exts_exec()' function. Once the attacker has successfully exploited this vulnerability, they will have gained root-level privileges on the target system.

Mitigation

To mitigate this vulnerability, users should ensure their Linux kernels are up to date and patched with the latest security fixes. In this specific case, users should update their kernels to a version that includes the git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.

Timeline

Published on: 03/22/2023 14:15:00 UTC
Last modified on: 05/03/2023 14:15:00 UTC