Linux Kernel NULL Dereference Vulnerability in sch_cake Prior to 6.5.1

A vulnerability in the Linux kernel's sch_cake traffic control queueing discipline can lead to a NULL pointer dereference. This issue arises from an inconsistency in the queue length and backlog accounting within the qdisc hierarchy. The problem occurs when the cake_enqueue function returns NET_XMIT_CN, causing the parent qdisc to stop processing the current packet. As a result, the expected packet handling flow is disrupted, particularly when the parent qdisc is qfq_qdisc, leading to a NULL dereference. The vulnerability affects several versions of the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause a system crash due to a NULL pointer dereference, disrupting normal operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by enqueuing packets in a way that exceeds the buffer limit, causing the cake_enqueue function to return NET_XMIT_CN. This can be done by manipulating the traffic control settings or by sending a high volume of packets that exceed the configured buffer limits. Once the buffer limit is exceeded, the inconsistent accounting can be triggered, leading to a NULL dereference when the parent qdisc is qfq_qdisc.

Remediation

Users can upgrade to Linux kernel versions 6.5.1 or later, where this vulnerability has been fixed.