A recently discovered vulnerability in the Linux kernel, specifically the traffic control subsystem, has been assigned the identifier CVE-2022-47929. An unprivileged user can exploit this vulnerability to trigger a denial of service, leading to a system crash. In this long-read post, we'll explore the details of this flaw, provide a code snippet illustrating the issue, discuss the implications of the vulnerability, and provide links to the original sources.

Details of the Vulnerability

The vulnerability exists in the Linux kernel versions prior to 6.1.6, within the traffic control subsystem. The specific file affected is net/sched/sch_api.c. The issue revolves around a NULL pointer dereference bug within the qdisc_graft function. Exploitation of this vulnerability requires only the use of "tc qdisc" and "tc class" commands in a maliciously crafted traffic control configuration.

Here's a simplified code snippet to illustrate the issue

void qdisc_graft(struct Qdisc *parent, struct Qdisc *new)
{
    struct Qdisc *q;

    if (!parent) // Check if parent is NULL
    {
        printk(KERN_ERR "Parent Qdisc is NULL\n");
        return;
    }

    /* Vulnerable NULL Pointer Dereference */
    q = parent->ops->graft(parent, new); // (*1*) <-- NULL pointer dereference

    if (q)
    {
        qdisc_destroy(q);
    }
}

In this code snippet, if the 'parent' is not properly validated, there's a chance that a NULL pointer dereference occurs at the indicated line (*1*).

When is this bug exploitable?

An attacker can exploit this vulnerability by asking the traffic control subsystem to set up a specific configuration, resulting in the kernel dereferencing a NULL pointer, with a combination of "tc qdisc" and "tc class" commands. Unprivileged users with the capability to execute these commands are therefore able to cause a denial of service that leads to a system crash.

- Linux Kernel Mailing List: https://lore.kernel.org/lkml/
- Linux Kernel Git Repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Exploit Details

While the vulnerability lies within the kernel source code, exploitation requires a specific sequence of traffic control commands. The exact sequence of commands required to exploit the vulnerability is not divulged in this post to reduce the likelihood of malicious activity. However, with the right combination of "tc qdisc" and "tc class" commands, an attacker can trigger a system crash with a crafted traffic control configuration.

Mitigation and Recommendations

The issue was fixed in Linux kernel version 6.1.6. As a result, users should ensure their systems are updated to the latest kernel release to protect against this vulnerability. Moreover, system administrators should restrict unprivileged access to traffic control commands, monitor system logs for indications of possible exploitation attempts, and apply security patches as they become available.

Conclusion

CVE-2022-47929 is a significant vulnerability in the Linux kernel's traffic control subsystem that allows an unprivileged user to cause a denial of service through a system crash. By updating the kernel to version 6.1.6 (or later) and restricting access to the necessary commands, Linux users can mitigate the risks associated with this flaw.

Timeline

Published on: 01/17/2023 21:15:00 UTC
Last modified on: 03/03/2023 01:15:00 UTC