Linux Kernel TEQL Double-Free Vulnerability in Qdisc Management

A double-free vulnerability has been identified in the Linux kernel's TEQL (TCP Equalizer) scheduling mechanism. This issue arises when a TEQL device has a lockless Qdisc (queueing discipline) as its root. In such cases, the 'qdisc_reset' function should be called using the sequence lock to prevent race conditions with the data path. Failing to do so can lead to crashes, as evidenced by a reported double-free error in the 'skb_release_data' function, which is part of the kernel's networking stack.

Impact

Exploitation of this vulnerability can cause memory corruption issues, leading to a double-free condition that the Kernel Address Sanitizer (KASAN) detects. This type of memory corruption can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, first, initialize a TEQL topology with 'dummy0' and 'ifb0' as slaves and bring 'teql0' up. Then, start multiple sender processes that continuously transmit packets through 'teql0', which will activate the 'teql_master_xmit' function. While this is happening, repeatedly delete and re-add the root Qdisc on 'dummy0' and 'ifb0' using RTNETLINK. This will force frequent teardown and reset activities, which can lead to the double-free condition being triggered. After running these steps for several iterations, KASAN will report the double-free error.

Remediation

The vulnerability has been fixed in the official Linux Git repository. Users should upgrade to the latest version of the Linux kernel to address this issue.