A newly identified vulnerability in the Linux kernel, CVE-2023-3611, highlights an out-of-bounds write issue in the net/sched: sch_qfq component. This security flaw can be exploited by an attacker to achieve local privilege escalation by taking advantage of an unpatched Linux system.

Details

The core issue lies in the qfq_change_agg() function located within the net/sched/sch_qfq.c source file. The function allows an out-of-bounds write to take place when it updates the 'lmax' value without performing the necessary bounds checks in accordance with the packet sizes.

Here's a code snippet that demonstrates the vulnerability

void qfq_change_agg(struct qfq_sched *q, struct qfq_group *grp,
struct qfq_agg *agg, unsigned long mask)
{
...
            unsigned lmax = (unsigned)__fls(avg_ipg * agg->agg_bytes) >> 1;
            ...
            if (lmax > agg->agg_lmax)
                agg->agg_lmax = lmax;
...
}

The 'lmax' value is assigned a new value based on the average inter-packet gap (avg_ipg) and the number of bytes in the aggregator (agg_bytes). However, there is no adequate bound-checking in the qfq_change_agg() function, which may lead to out-of-bounds write vulnerabilities.

Kernel Source File

https://github.com/torvalds/linux/blob/master/net/sched/sch_qfq.c

Commit with the Fix

https://github.com/torvalds/linux/commit/3e337087c3b5805feb8a46ba622a962880b5d64

Exploit Details

An attacker with low privileges could exploit this vulnerability by sending crafted packets that trigger an out-of-bounds write in the Linux kernel's memory. This could potentially lead to local privilege escalation, allowing the attacker to gain unauthorized access or execute arbitrary code on the affected system, compromising the entire system's security.

Recommendations

Thankfully, the Linux kernel's maintainers are quick to fix vulnerabilities that can compromise system security. To address the CVE-2023-3611 vulnerability, it is recommended to upgrade to a kernel version that has the associated patch in place.

The specific commit that fixes this issue is 3e337087c3b5805feb8a46ba622a962880b5d64, so users are encouraged to upgrade their kernel past this commit or apply the patch themselves.

Conclusion

CVE-2023-3611 is a critical out-of-bounds write vulnerability within the Linux kernel's net/sched: sch_qfq component, which can lead to local privilege escalation. Users running a vulnerable Linux kernel are advised to upgrade their kernel version or apply the patch from commit 3e337087c3b5805feb8a46ba622a962880b5d64 to mitigate the risk associated with this vulnerability.

Timeline

Published on: 07/21/2023 21:15:00 UTC
Last modified on: 08/19/2023 18:17:00 UTC