A vulnerability in the Linux kernel has been identified and resolved, specifically within the "net/sched" module. The issue involves a deadlock occurring when mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to itself. This article will discuss the details of the vulnerability, share code snippets and setup examples, and provide links to the original references.

Vulnerability Details

The deadlock occurs when a packet is being mirrored or redirected to itself, causing the kernel to hang indefinitely. The trace below demonstrates the problem:

1) eth to eth setup

tc qdisc add dev eth root handle 1: htb default 30
tc filter add dev eth handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth

2) eth to eth1 to eth setup

tc qdisc add dev eth root handle 1: htb default 30
tc filter add dev eth handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth1

tc qdisc add dev eth1 root handle 1: htb default 30
tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth

Solution

The fix involves adding an owner field (CPU id) to the struct Qdisc, which is set after the root qdisc is entered. When the softirq enters it a second time and the qdisc owner is the same CPU, the packet is dropped to break the loop.

1) Linux Kernel Mailing List - The original mailing list post discussing the issue and the fix.
2) Github Commit - The commit to the Linux kernel source code where the issue has been resolved.

Exploit Details

As this issue results in a deadlock within the kernel, the impact includes degraded performance and potential denial of service attacks if exploited by a malicious actor. It is recommended to update the Linux kernel to the latest patch level to mitigate this vulnerability.

Timeline

Published on: 05/01/2024 06:15:19 UTC
Last modified on: 12/23/2024 14:05:34 UTC