Linux Kernel Out-of-Bounds Write Vulnerability in Net Scheduling Component Allowing Privilege Escalation

A heap-based out-of-bounds write vulnerability has been identified in the Linux kernel's net scheduling component, specifically within the 'cls_tcindex' traffic control classifier. This vulnerability, present in versions through 5.5.13, was introduced by a commit that improperly managed the allocation hash size for hash tables used in packet filtering. The flaw allows an attacker to manipulate the hash table size, triggering an out-of-bounds write that can be exploited to overwrite critical kernel data, such as the 'addr_limit' field in the 'task_struct' structure, which governs memory access permissions. This exploitation can lead to unauthorized access to kernel memory and, ultimately, privilege escalation by modifying kernel parameters to execute arbitrary code as root.

Impact

Exploitation of this vulnerability allows for a heap-based out-of-bounds write, which can be leveraged to gain unauthorized access to kernel memory. This access can be used to overwrite critical data structures, such as 'task_struct', facilitating privilege escalation by manipulating kernel parameters to execute arbitrary code with root privileges.

Reproduction

The vulnerability can be reproduced by creating a Netlink socket and installing a queuing discipline (qdisc) on a network interface. During this process, an explicit hash table size is set, which is then updated to a smaller size, triggering the out-of-bounds write. This exploitation can be automated with a C program that replicates the necessary steps, including the allocation of a placeholder object to position the vulnerable array adjacent to a 'task_struct' slab, ensuring the out-of-bounds write targets the 'addr_limit' field for privilege escalation.

Remediation

Users can upgrade to versions of the Linux kernel that have applied the fix, specifically versions 5.6 and later, where this vulnerability has been addressed.