A recently discovered use-after-free vulnerability (CVE-2023-4206) in the Linux kernel's net/sched: cls_route component can result in local privilege escalation. By exploiting this vulnerability, an attacker could potentially gain elevated privileges on a targeted system. In this post, we will analyze the root cause of this vulnerability and suggest ways to mitigate it, including upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
Background
The vulnerability stems from the way route4_change() is implemented in the net/sched component. Specifically, when route4_change() is called on an existing filter, the entire tcf_result structure is copied into the new instance of the filter. This triggers a problem when updating a filter that is bound to a class, since tcf_unbind_filter() is inevitably called on the old instance in the success path. Consequently, the filter_cnt of the still-referenced class is reduced, allowing the class to be deleted and leading to a use-after-free.
Here's a simplified version of the relevant code snippet that demonstrates the issue
static int route4_change(struct net *net, struct sk_buff *in_skb, ...
{
struct tcf_block *block;
...
// tcf_result struct is copied into the new instance of filter
old_r = rcu_dereference_protected(old_f->res, lockdep_is_held(&block->cb_lock));
new_u_res = kzalloc(sizeof(*new_u_res), GFP_KERNEL);
memcpy(new_u_res, old_r, sizeof(*old_r));
...
// tcf_unbind_filter() is called on the old instance
tcf_unbind_filter(tp, &old_r->res);
...
}
Vulnerability Exploitation Details
An attacker who has gained local access to a vulnerable system could potentially exploit this use-after-free error by creating a crafted packet in such a way that route4_change() is invoked on an existing filter. This, in turn, would cause the filter_cnt of the still-referenced class to be reduced, and the class to be deleted. The attacker could then use the resulting use-after-free situation to execute arbitrary code with elevated privileges.
Mitigation
We highly recommend upgrading your system past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 to address this vulnerability. This specific commit contains a patch that properly manages the class instances and prevents the use-after-free error. You can find additional information in the following references:
Conclusion
The CVE-2023-4206 use-after-free vulnerability in the Linux kernel's net/sched: cls_route component is a noteworthy security concern, as it can potentially lead to local privilege escalation. By understanding the root cause of this vulnerability and applying the recommended mitigation measures, such as upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8, you can help to protect your system against this threat. Make sure to stay informed about the latest security updates and follow best practices to maintain a secure environment.
Timeline
Published on: 09/06/2023 14:15:11 UTC
Last modified on: 09/11/2023 17:57:25 UTC