CVE CyberSecurity Database News

CVE-2023-23454 - How a Linux Kernel Type Confusion Bug Can Crash Your System

Poster -

*Posted: June 2024*

A serious vulnerability named CVE-2023-23454 was found in the Linux kernel. Anyone running Linux version 6.1.4 or earlier is at risk. This bug, deep within the kernel’s network code, allows attackers to crash your system with a specially-crafted network packet. That means: an attacker on your network could shut down your server with almost no warning.

Let’s break down what went wrong, how attackers can use it, and what you can do to protect your machines.

What’s the Problem?

The bug lives in the Linux kernel’s *Class-Based Queuing* (CBQ) network scheduler. This code helps organize and prioritize network traffic. The function with the problem is called cbq_classify:

int cbq_classify(struct sk_buff *skb, const struct tcf_proto *tp, struct tcf_result *res)
{
    int ret;

    ret = tp->ops->classify(skb, tp, res); // This can return a non-negative integer

    // ... code continues ...
    if (ret == TC_ACT_SHOT) {
        // Handle packet drop
    }
    // ... more code ...
    return ret;
}

Here’s the issue: The handler expects classify to return certain small negative numbers (known as TC_ACT_* constants), like TC_ACT_SHOT, to signal special things (like “drop this packet!”). But sometimes, it can return a non-negative number—which looks like a valid class ID, but is actually supposed to mean, “drop this packet.”

Type confusion here means the code confuses a class ID for an action, and vice-versa. The result? The function uses the wrong value, and can read or write memory it shouldn’t, leading to a slab-out-of-bounds access.

What’s a Slab-Out-of-Bounds Read?

Linux uses “slab allocation” to manage small pieces of memory. A slab-out-of-bounds read means the kernel reads past the “edge” of an allocated object. In worst cases, this can leak sensitive data, but more often (as here), it just crashes the kernel with a nasty error—causing a Denial of Service (DoS).

Attacker sends a crafted packet over the network.

2. The packet triggers the CBQ scheduler to process it with an unexpected class ID/action code.

The kernel crashes—system stops responding or reboots.

The only requirement is that the target server has CBQ scheduling enabled (which many firewalls, routers, and some servers do by default).

Example Exploit Code

Below is example Python code (for research/education) that demonstrates sending packets which might trigger the bug on a vulnerable system. Use at your own risk!

# You must have scapy and root privileges to run this.
from scapy.all import *
import socket

def send_cbq_test(target_ip, iface):
    # This just sends many packets rapidly. Real exploit needs to shape traffic to trigger cbq.
    pkt = IP(dst=target_ip)/UDP(dport=9999, sport=5555)/Raw(load="A"*100)
    sendp(Ether()/pkt, iface=iface, count=100)

if __name__ == "__main__":
    send_cbq_test("192.168.1.1", "eth")

A well-crafted exploit does more—setting up classification rules that confuse the kernel—but this shows the basics.

How Was It Found?

The bug was first discovered here on the kernel mailing list. You can also see details at the official CVE entry.

Key quote from the kernel patch notes:

> “... The return value from ->classify() may be TYPECONFUSION: sometimes TC_ACT_SHOT, but sometimes a non-negative ‘classid’. This can confuse later logic, causing a slab-out-of-bounds read ...”

Am I Vulnerable?

If you use Linux v6.1.4 or earlier, and have CBQ scheduling enabled (check with tc qdisc show), you are at risk. Many distributions have patched this vulnerability, but check your kernel version!

How Do I Fix This?

Upgrade your kernel. Official fixes landed upstream in Linux 6.1.5 and 6.2. If you can’t upgrade, disable the CBQ scheduler on all interfaces:

# For each network interface (replace eth with your real iface)
sudo tc qdisc del dev eth root cbq

References

- Linux Kernel Patch – sch_cbq.c fix
- CVE-2023-23454 in MITRE
- Original Mailing List Report

Final Thoughts

Security on Linux isn’t just about locked doors—it’s about understanding the assumptions our software makes. CVE-2023-23454 is a prime lesson: even “trusted” code deep in the kernel can slip up. If you run Linux servers, patch early and patch often!

Timeline

Published on: 01/12/2023 07:15:00 UTC
Last modified on: 03/03/2023 01:15:00 UTC