Linux Kernel Teql Qdisc Root-Only Enforcement Vulnerability

A use-after-free vulnerability has been introduced in the Linux kernel's traffic control (tc) subsystem, specifically within the teql (Ethernet bonding) queuing discipline (qdisc). This vulnerability arises from the improper handling of qdisc classes, which can lead to the activation of a class without the necessary packet queue management. The issue is rooted in teql's design, which only updates the parent queue length when packets are dequeued. In scenarios where teql is incorrectly used as a non-root qdisc, this can create a situation where the queue length remains zero, allowing for the manipulation of class parameters and the subsequent access of invalid memory references, causing a use-after-free condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where the system accesses memory that has already been freed, potentially allowing for arbitrary code execution or other unintended behavior.

Reproduction

To reproduce this vulnerability, create a root qdisc and add a class with a netem (network emulator) discipline that introduces a delay. Then, add a second class using teql as a non-root qdisc. Send packets that will be queued in the netem class, causing a delay, while simultaneously sending packets to the teql class. The teql discipline will activate without proper queue management, leading to a situation where the queue length is not updated. When the class parameters are modified, the traffic control system will attempt to deactivate the class but will encounter a dangling pointer issue due to the improper queue length management, causing a use-after-free vulnerability.

Remediation

The vulnerability has been addressed in the Linux kernel by enforcing that the teql qdisc can only be used as a root qdisc. Users should upgrade to the latest version of the Linux kernel where this restriction has been implemented.