Linux Kernel RED Queue Discipline Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's RED (Random Early Detection) queue discipline. This issue arises when the SFQ (Stochastic Fairness Queueing) perturb timer activates at an inopportune moment, creating a timing conflict. The vulnerability allows for the underflow of a parent's queue length by manipulating the timing of queue management operations.

Impact

Exploitation of this vulnerability can lead to improper queue length management, potentially causing disruptions in traffic scheduling and management.

Reproduction

The vulnerability can be reproduced by creating a scenario where the SFQ perturb timer interferes with the RED queue management. This can be done by locking the queue discipline, flushing the backlog, and then unlocking it, while simultaneously triggering the SFQ perturb timer. The race condition occurs when these actions overlap, allowing for the queue length underflow to be exploited.

Remediation

The vulnerability can be addressed by replacing the qdisc_tree_flush_backlog() function with qdisc_purge_queue(). This change ensures that all packets are removed from the queue discipline before releasing the lock, preventing the race condition.