CVE-2023-4921: Use-After-Free Vulnerability in Linux Kernel's net/sched: sch_qfq Component Leads to Local Privilege Escalation

A recently discovered use-after-free vulnerability (CVE-2023-4921) in the Linux kernel's net/sched: sch_qfq component allows attackers to exploit and escalate their local privileges. By using the plug qdisc as a class of the qfq qdisc, attackers can send network packets that trigger use-after-free in qfq_dequeue(). This occurs due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). To prevent potential attacks, it is strongly recommended to upgrade past commit 8fc134fee27f2263988ae38920bc03da416b03d8.

Code Snippet

The following code snippet shows the incorrect .peek handler of sch_plug and the lack of error checking in agg_dequeue():

// sch_plug.c
static struct sk_buff *plug_peek(struct Qdisc *sch)
{
    struct plug_sched_data *q = qdisc_priv(sch);

    return skb_rb_first(&q->in_tree);
}

// sch_qfq.c
static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
{
    struct qfq_sched *q = qdisc_priv(sch);
    struct qfq_class *cl;
    struct sk_buff *skb;

    // no error checking for agg_dequeue()
    cl = agg_dequeue(q, &q->root);
    if (!cl)
        return NULL;

    skb = dequeue_head(cl);
    ...
}

Exploit Details

Attackers exploiting the CVE-2023-4921 vulnerability can achieve local privilege escalation by sending network packets that trigger the use-after-free vulnerability in qfq_dequeue(). The issue arises from the sch_plug's incorrect handling of .peek and the absence of error checking in agg_dequeue().

Links to Original References

1. Linux kernel source code for sch_qfq
2. Linux kernel source code for sch_plug
3. The associated commit fixing the vulnerability

Mitigation

To protect against this vulnerability, it is essential to upgrade your Linux kernel past commit 8fc134fee27f2263988ae38920bc03da416b03d8. By doing so, the risk of attackers exploiting this use-after-free issue in the Linux kernel's net/sched: sch_qfq component will be significantly reduced.

Conclusion

The CVE-2023-4921 vulnerability in the Linux kernel's net/sched: sch_qfq component showcases the importance of securing kernel code and implementing error checking to prevent potential exploits. By understanding the nature of this vulnerability and upgrading your kernel to the recommended commit, you can safeguard your system against this type of attack and ensure a more secure user experience.

Timeline

Published on: 09/12/2023 20:15:10 UTC
Last modified on: 10/29/2023 02:39:14 UTC