Linux Kernel NULL Pointer Dereference Vulnerability in sch_htb Component

A NULL pointer dereference vulnerability has been identified in the Linux kernel's sch_htb (Hierarchical Token Bucket) component. This issue arises from a regression introduced when making the htb_qlen_notify() function idempotent. The vulnerability occurs in the htb_next_rb_node() function, where a previously nullified pointer can lead to a dereference error. The problem is exacerbated by the htb_deactivate() function, which, despite checking the queue length, may be called multiple times under certain conditions, triggering a warning. The vulnerability can be reproduced by following the htb_dequeue_tree() process, which involves several function calls that ultimately lead to the NULL pointer dereference.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash of the affected component.

Reproduction

The vulnerability can be reproduced by calling the htb_dequeue_tree() function, which triggers the htb_qlen_notify() function. This, in turn, calls the htb_deactivate() function. Due to the way these functions interact, particularly after the first call to htb_deactivate(), the priority pointer can be set to NULL. When htb_next_rb_node() is subsequently called, it attempts to dereference this NULL pointer, causing a crash.

Remediation

The vulnerability has been addressed by making the htb_deactivate() function idempotent, ensuring it can be safely called multiple times without causing issues, and by modifying the htb_next_rb_node() function to safely handle cases where the pointer is NULL.