Linux Kernel Backlog Accounting Vulnerability in Traffic Control Qdiscs

A vulnerability has been identified in the Linux kernel's traffic control subsystem, specifically within certain queuing disciplines (qdiscs) including heavy-hitter filter (hhf), fair queue (fq), fair queue with controlled delay (fq_codel), and fq-pie. The issue arises in the change handlers of these qdiscs when they adjust to new limits, leading to improper backlog accounting. When a token bucket filter (tbf) parent runs out of tokens, packets from these qdiscs are incorrectly managed, causing a backlog underflow in the tbf parent. This vulnerability can be reproduced by manipulating qdisc limits and observing the resulting backlog discrepancies.

Impact

Exploitation of this vulnerability causes an underflow in the backlog accounting of the tbf parent, leading to incorrect traffic control behavior.

Reproduction

The vulnerability can be reproduced by setting up a token bucket filter (tbf) qdisc with a specific rate and burst, and then applying a limit that causes the tbf to run out of tokens. This action will trigger the affected qdiscs to mismanage their backlog accounting, which can be verified by checking the qdisc statistics before and after the limit adjustment.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.