Linux Kernel Stack-Based Buffer Overflow Vulnerability in MQPRIO TC Entry Parsing

A stack-based buffer overflow vulnerability has been identified in the Linux kernel's MQPRIO traffic control (TC) entry parsing. The issue arises because the TCA_MQPRIO_TC_ENTRY_INDEX is validated with a policy that allows values up to TC_QOPT_MAX_QUEUE (16). This validation flaw leads to a 4-byte out-of-bounds write in the fp array, which can only accommodate 16 elements (0-15). The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or corruption of the stack, potentially allowing an attacker to manipulate the execution flow of the program.

Reproduction

The vulnerability can be reproduced by sending a crafted message that includes an TCA_MQPRIO_TC_ENTRY_INDEX value of 16 or higher. This can be done using the 'tc' command with the 'mqprio' qdisc, specifying an invalid entry index that exceeds the allowed range. The improper validation will cause the out-of-bounds write in the 'fp' array, triggering the buffer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.