Linux Kernel TAPRIO Qdisc NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's TAPRIO scheduling class. This issue arises when a TAPRIO child queuing discipline (qdisc) is deleted, leading to a NULL value being stored in the qdiscs array. Subsequent operations that attempt to access this value result in a dereference of a NULL pointer, causing a kernel panic. This vulnerability can be exploited by an unprivileged local user within a new network namespace, where they can create a TAPRIO qdisc, delete a grafted child qdisc, and then request a class dump, triggering the NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, create a TAPRIO qdisc inside a new network namespace. Graft an explicit child qdisc to it, then delete the child qdisc while the TAPRIO qdisc is active. Finally, request a class dump via RTM_GETTCLASS, which will trigger the NULL pointer dereference and cause a kernel panic.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.