Linux Kernel NULL Pointer Dereference Vulnerability in ETS Scheduler

A vulnerability in the Linux kernel's Enhanced Transmission Scheduler (ETS) has been identified, where a NULL pointer dereference occurs in the ETS class queue length notification function. This issue arises after recent changes to the ETS queue discipline, specifically in the 'ets_qdisc_change' function. The vulnerability is present in several versions of the Linux kernel, including 6.12.0-116.el10.x86_64. The problem stems from the improper handling of the 'nbands' value when purging unused queues, leading to a crash. The vulnerability can be reproduced by running the 'tc' command with a test case that triggers the ETS class queue length notification.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, causing a denial of service by interrupting normal kernel operations and potentially destabilizing the system.

Reproduction

The vulnerability can be reproduced by using the 'tc' command to modify an ETS queue discipline. This can be done by changing the number of bands or strictness settings, which will trigger the 'ets_qdisc_change' function. The improper handling of the 'nbands' value will cause a NULL pointer dereference in the 'ets_class_qlen_notify' function, leading to a kernel crash.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability. The specific commit that resolves the issue is available in the Linux kernel stable tree.