Linux Kernel ETS Offload Path Divide-By-Zero Vulnerability

A vulnerability in the Linux kernel's Ethernet scheduling (ETS) offload feature can lead to a divide-by-zero error. This issue arises because the offloading process requires calculating each class's Weighted Round Robin (WRR) weight by averaging the sums of quanta. When using unsigned integers, which are the same size as the individual quanta, an overflow can occur, potentially causing a division by zero. This vulnerability has been observed in Linux kernel version 6.19.0-virtme.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a fatal exception and system crash.

Reproduction

The vulnerability can be reproduced by offloading ETS scheduling on a network device. This can be done using the 'tc' command to modify the ETS queue discipline. The offloading process will trigger the divide-by-zero error, causing a kernel panic.

Remediation

The vulnerability has been fixed by changing the data type of the 'q_sum' and 'q_psum' variables from unsigned integers to 64-bit integers. Users should upgrade to the patched version of the Linux kernel.