Linux Kernel Bulk Flow Fairness Count Underflow Vulnerability in sch_cake Scheduler

A vulnerability in the Linux kernel's sch_cake scheduler has been addressed, which involved an underflow in the per-host bulk flow counters. This underflow led to an out-of-bounds memory access. The issue arose from a logic error that was not properly managed, allowing syzbot to exploit it. The vulnerability has been resolved by introducing bounds checks to the bulk flow fairness counts. All accesses to the per-host bulk flow counters have been refactored into a series of helper functions that perform necessary bounds-checking before any modifications. This change not only corrects the logic error but also enhances code readability by consolidating conditional checks into the helper functions, rather than having them dispersed throughout the code. As a result, the flow quantum calculation has been streamlined, although the maximum packet size that can be sent while a flow remains sparse will now vary by plus or minus one byte in some instances, a change that is not expected to have a significant practical impact.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing memory corruption or allowing for arbitrary code execution.