Linux Kernel SFQ Scheduler Limit Vulnerability Leading to Out-of-Bounds Access

A vulnerability in the Linux kernel's scheduling component, specifically within the Stochastic Fairness Queueing (SFQ) scheduler, has been addressed. The issue arose because the SFQ scheduler allowed a packet limit of one, which the iproute2 tool recognized as problematic. This discrepancy led to a crash reported by syzkaller, where an out-of-bounds array access occurred. The vulnerability was introduced when the SFQ limit was set to one, causing the scheduler to improperly manage packet queues, particularly when combined with other traffic control settings.

Impact

Exploitation of this vulnerability could lead to a kernel crash, caused by an out-of-bounds array access that disrupts normal operations.

Reproduction

The vulnerability can be reproduced by setting the SFQ limit to one and then sending packets through a Traffic Control (TC) queue that exceeds this limit. This scenario causes the SFQ scheduler to drop packets incorrectly, leading to an underflow and out-of-bounds access when the scheduler attempts to process the queue.

Remediation

Users can avoid this vulnerability by ensuring that the SFQ packet limit is set to a value greater than one.