Linux Kernel Privilege Escalation Vulnerability via Use-After-Free in Qdisc Management

A use-after-free vulnerability has been identified in the Linux kernel's network scheduling component, specifically within the management of queue disciplines (qdiscs). This vulnerability can be exploited for privilege escalation. The issue arises when a qdisc is replaced from one parent to another, allowing for manipulation of the qdisc's reference count and potentially leading to unauthorized access or privileges.

Impact

Exploitation of this vulnerability can result in unauthorized privilege escalation.

Reproduction

The vulnerability can be reproduced by creating a root qdisc and then adding classes for packet aggregation and nesting. After establishing a qdisc layout, the vulnerability is triggered by attempting to replace a qdisc's parent, which is disallowed by the patch. However, this action can still be exploited by manipulating the qdisc's reference count and class associations, ultimately leading to a use-after-free condition.

Remediation

The vulnerability has been addressed in the Linux kernel by disallowing the replacement of child qdiscs from one parent to another, preventing the exploitation of the use-after-free condition.