Linux Kernel Fair Queue Scheduler Integer Overflow Vulnerability

A vulnerability in the Linux kernel's Fair Queue (sch_fq) scheduler can lead to a signed integer overflow in the 'credit' variable. This issue occurs when the 'initial quantum' setting is configured with values greater than INT_MAX. The overflow causes 'credit' to assume a very negative value, which can trigger CPU soft-lockup warnings. Although this does not create an infinite loop, it disrupts normal scheduling by improperly reducing 'credit' by approximately 2GB for each new flow. The vulnerability has been addressed by capping the 'initial quantum' value to INT_MAX.

Impact

Exploitation of this vulnerability causes a CPU soft-lockup, where the system becomes unresponsive due to excessive processing on the CPU, disrupting normal operations and potentially leading to a system hang.

Reproduction

To reproduce this vulnerability, configure the Fair Queue scheduler with an 'initial quantum' value greater than INT_MAX. This can be done using the Traffic Control (tc) command. After applying the configuration, the syzkaller script will trigger the CPU soft-lockup warning, indicating that the vulnerability is active.

Remediation

The vulnerability has been fixed in the Linux kernel by adding validation to ensure that the 'initial quantum' value does not exceed INT_MAX. Users should update to the latest version of the Linux kernel where this fix has been applied.