Linux Kernel Qdisc Red Dequeue Handling Vulnerability Causes Kernel Panic

A vulnerability in the Linux kernel's traffic control subsystem can lead to a kernel panic. This issue arises in the 'red' queuing discipline (qdisc) when it has child qdiscs, such as 'qfq', that use a specific peek() callback. The problem occurs when the parent qdisc, like 'tbf', tries to retrieve a packet from 'red'. The retrieval process involves peeking for available packets, which can inadvertently cause 'red' to call its child's dequeue() method. This mismanagement can result in a null pointer dereference, triggering a kernel panic. The vulnerability affects Linux kernel versions prior to 7.1.0-rc1-00033-g46f74a3f7d57.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, configure a 'red' qdisc with a child 'qfq' qdisc that uses the 'qdisc_peek_dequeued()' callback. Then, have a parent qdisc, such as 'tbf', attempt to retrieve a packet from the 'red' qdisc. The 'red' qdisc will incorrectly call the dequeue method of the 'qfq' qdisc, leading to a null pointer dereference and a kernel panic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.