Linux Kernel NULL Pointer Dereference Vulnerability in Traffic Control Classifier

A NULL pointer dereference vulnerability has been identified in the Linux kernel's traffic control (tc) subsystem, specifically within the 'cls_fw' classifier. This issue arises when an empty 'cls_fw' filter is applied to a shared block, and a packet with a nonzero major socket buffer mark is classified. The vulnerability is present in the old-method path of the 'fw_classify()' function, which dereferences a handle from a NULL block queue, leading to a crash. The problem has been fixed by rejecting the faulty configuration and updating the 'fw_change()' function to properly handle shared blocks.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a kernel crash.

Reproduction

To reproduce this vulnerability, attach an empty 'cls_fw' filter to a shared block while using the old method (without TCA_OPTIONS). Then, classify a packet with a nonzero major skb mark. This will trigger the NULL pointer dereference, as the shared block does not have a valid queue handle.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.