Linux Kernel NULL Pointer Dereference Vulnerability in Traffic Control Action Handling

A vulnerability in the Linux kernel's traffic control (tc) subsystem can lead to a NULL pointer dereference. This issue arises in the 'cls_api' classifier when the function 'tcf_exts_miss_cookie_base_alloc()' calls 'xa_alloc_cyclic()'. If the allocation succeeds after wrapping, 'xa_alloc_cyclic()' returns 1, which is incorrectly treated as an error. This erroneous error handling causes a NULL pointer dereference in 'tcf_action_init()', leading to a kernel crash. The vulnerability has been observed in Linux kernel version 5.14.0-503.16.1.el9_5.x86_64.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a system crash.

Reproduction

The vulnerability can be reproduced by triggering the 'tcf_exts_miss_cookie_base_alloc()' function in the 'cls_flower' classifier. This function will allocate a cookie base cyclically, and if the allocation wraps around and returns 1, it will be misinterpreted as a failure. The subsequent error handling will set the actions pointer to NULL and return 1, which 'fl_change()' interprets as a success. This process will eventually lead to a NULL pointer dereference in 'tcf_action_init()', causing a kernel crash.