Linux Kernel SFB Scheduler Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's SFB (Stochastic Fairness Queueing) scheduler. This issue arises when the default queuing discipline (qdisc) is set to SFB, and the qdisc of the device queue fails to initialize during the 'mqprio_init()' process. Consequently, the 'sfb_reset()' function is called to clear resources. However, since the q->qdisc is NULL at this point, it leads to a general protection fault (gpf) issue. The vulnerability has been addressed in upstream commits.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical address, leading to a null pointer dereference.

Reproduction

To reproduce this vulnerability, set the default queuing discipline to SFB. During the 'mqprio_init()' process, ensure that the qdisc of the device queue fails to initialize. This will trigger the 'sfb_reset()' function, which attempts to reset the qdisc. Since the q->qdisc is NULL, this operation causes a null pointer dereference, resulting in a general protection fault.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.