Linux Kernel clsact Qdisc Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's clsact queuing discipline (qdisc) management. This issue arises from an asymmetry in the initialization and destruction process of clsact instances. The problem occurs when the clsact_init function successfully initializes the ingress side but fails to complete the egress initialization, leaving the egress entry from a previous instance valid. When the clsact_destroy function is called, it incorrectly assumes both entries are uninitialized, leading to a use-after-free condition. The vulnerability has been addressed by adding a helper function to check the initialization status of the qdisc entries before destruction, ensuring a consistent and safe cleanup process.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, create a clsact qdisc instance and initiate the ingress side. Then, simulate a failure in the egress initialization process. This can be done by manipulating the tcf_block_get_ext function to fail while the ingress has already been initialized. Once this failure occurs, the clsact_destroy callback will be triggered, leading to the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.