CVE CyberSecurity Database News

CVE-2023-4206: Addressing the Use-After-Free Vulnerability in the Linux Kernel's net/sched: cls_route Component

Poster -

A recently discovered use-after-free vulnerability (CVE-2023-4206) in the Linux kernel's net/sched: cls_route component can result in local privilege escalation. By exploiting this vulnerability, an attacker could potentially gain elevated privileges on a targeted system. In this post, we will analyze the root cause of this vulnerability and suggest ways to mitigate it, including upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

Background

The vulnerability stems from the way route4_change() is implemented in the net/sched component. Specifically, when route4_change() is called on an existing filter, the entire tcf_result structure is copied into the new instance of the filter. This triggers a problem when updating a filter that is bound to a class, since tcf_unbind_filter() is inevitably called on the old instance in the success path. Consequently, the filter_cnt of the still-referenced class is reduced, allowing the class to be deleted and leading to a use-after-free.

Here's a simplified version of the relevant code snippet that demonstrates the issue

static int route4_change(struct net *net, struct sk_buff *in_skb, ...
{
    struct tcf_block *block;
    ...
    // tcf_result struct is copied into the new instance of filter
    old_r = rcu_dereference_protected(old_f->res, lockdep_is_held(&block->cb_lock));
    new_u_res = kzalloc(sizeof(*new_u_res), GFP_KERNEL);
    memcpy(new_u_res, old_r, sizeof(*old_r));
    ...
    // tcf_unbind_filter() is called on the old instance
    tcf_unbind_filter(tp, &old_r->res);
    ...
}

Vulnerability Exploitation Details

An attacker who has gained local access to a vulnerable system could potentially exploit this use-after-free error by creating a crafted packet in such a way that route4_change() is invoked on an existing filter. This, in turn, would cause the filter_cnt of the still-referenced class to be reduced, and the class to be deleted. The attacker could then use the resulting use-after-free situation to execute arbitrary code with elevated privileges.

Mitigation

We highly recommend upgrading your system past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 to address this vulnerability. This specific commit contains a patch that properly manages the class instances and prevents the use-after-free error. You can find additional information in the following references:

Conclusion

The CVE-2023-4206 use-after-free vulnerability in the Linux kernel's net/sched: cls_route component is a noteworthy security concern, as it can potentially lead to local privilege escalation. By understanding the root cause of this vulnerability and applying the recommended mitigation measures, such as upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8, you can help to protect your system against this threat. Make sure to stay informed about the latest security updates and follow best practices to maintain a secure environment.

Timeline

Published on: 09/06/2023 14:15:11 UTC
Last modified on: 09/11/2023 17:57:25 UTC