Linux Kernel Classful Qdisc Dequeue Handler Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's networking scheduler, specifically within classful queuing disciplines (qdiscs). This issue arises when a qdisc's dequeue handler is invoked during an enqueue operation, potentially emptying the child qdisc and rendering an in-flight class passive. Most qdiscs do not anticipate this behavior, which can lead to unintended reactivation of the class and subsequent use-after-free conditions. The vulnerability has been addressed by ensuring that notifications are always sent when a child qdisc becomes empty, preventing the deletion of qdiscs from causing backlog accounting issues that could lead to use-after-free scenarios.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a freed memory resource is accessed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by adding a classful qdisc to a network interface and then deleting a class that is actively being used. This process can be automated with a script that sends UDP packets to the interface, simulating normal traffic. The deletion of the class while it is still in use triggers the use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.