[LTS 8.8] net: sched: sch_qfq: Fix UAF in qfq_dequeue()

[pvts-mat]

CVE-2023-4921
VULN-6730

Problem

https://www.cve.org/CVERecord?id=CVE-2023-4921

A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue()

Solution

A single commit was identified as a fix for this issue: 8fc134fee27f2263988ae38920bc03da416b03d8

kABI check: passed

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts8_8-CVE-2023-4921/Module.symvers; echo $?

0

kernel-dist-git state:

Switched to branch 'el-8.8'
Your branch is up to date with 'origin/el-8.8'.

Boot test: passed

See Specific tests for implied boot test passing.

Kselftests: passed relative

Methodology

A mix of kernel-selftests-internal and source-compiled tests were used:

• kernel-selftests-internal: bpf tests, except:
  • bpf:test_kmod.sh: takes very long time to finish and always fails anyway,
  • bpf:test_progs: unstable, can crash the machine,
  • bpf:test_progs-no_alu32: unstable, can crash the machine.
• source-compiled: all the rest.

Coverage (including tests skipped during execution)

android, bpf, breakpoints, capabilities, cgroup, core, cpu-hotplug, cpufreq, drivers/net/bonding, drivers/net/team, efivarfs, exec, filesystems, firmware, fpu, ftrace, futex, gpio, intel_pstate, ipc, kcmp, kvm, lib, livepatch, membarrier, memfd, memory-hotplug, mount, mqueue, net, net/forwarding, net/mptcp, netfilter, nsfs, proc, pstore, ptrace, rseq, rtc, sgx, sigaltstack, size, splice, static_keys, sync, sysctl, tc-testing, tdx, timens, timers, tpm2, user, vm, x86, zram

Reference ciqlts8_8 (683666ad1a6d7754125126d580f2994b4e35b3cd)

Four test runs were conducted on the reference kernel.
kselftests–mixed–ciqlts8_8–run1.log
kselftests–mixed–ciqlts8_8–run2.log
kselftests–mixed–ciqlts8_8–run3.log
kselftests–mixed–ciqlts8_8–run4.log

Patch

A single rest run was conducted on the patched kernel.
kselftests–mixed–ciqlts8_8-CVE-2023-4921.log

Comparison

Overview of the results, reduced to the differences:

ktests.xsh  table --where "Summary = 'diff'" kselftests*.log

Column    File
--------  ----------------------------------------------
Status0   kselftests--mixed--ciqlts8_8--run1.log
Status1   kselftests--mixed--ciqlts8_8--run2.log
Status2   kselftests--mixed--ciqlts8_8--run3.log
Status3   kselftests--mixed--ciqlts8_8--run4.log
Status4   kselftests--mixed--ciqlts8_8-CVE-2023-4921.log

TestCase                   Status0  Status1  Status2  Status3  Status4  Summary
bpf:test_xdp_veth.sh       skip     skip     pass     skip     skip     diff
net/mptcp:simult_flows.sh  pass     fail     pass     pass     pass     diff
net:gro.sh                 pass     pass     fail     pass     pass     diff
net:xfrm_policy.sh         fail     fail     pass     fail     fail     diff

No differences in results occured which weren't present in the reference test set already.

New unreliable tests were identified:

• bpf:test_xdp_veth.sh: For the rpm selftests package. The test may be run and pass

  # selftests: bpf: test_xdp_veth.sh
  # PING 10.1.1.33 (10.1.1.33) 56(84) bytes of data.
  # 64 bytes from 10.1.1.33: icmp_seq=1 ttl=64 time=0.559 ms
  # 
  # --- 10.1.1.33 ping statistics ---
  # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  # rtt min/avg/max/mdev = 0.559/0.559/0.559/0.000 ms
  # selftests: xdp_veth [PASS]
  ok 19 selftests: bpf: test_xdp_veth.sh
  

  or it may be skipped

  # selftests: bpf: test_xdp_veth.sh
  # Cannot create namespace file "/var/run/netns/ns3": File exists
  # selftests: xdp_veth [SKIP]
  ok 19 selftests: bpf: test_xdp_veth.sh # SKIP
  

  This seems to be related to the net/mptcp:mptcp_connect.sh test, which sometimes creates the ns3

  # selftests: net/mptcp: mptcp_connect.sh
  # INFO: set ns3-67a772bd-2iZfQl dev ns3eth2: ethtool -K  gso off gro off
  # INFO: set ns4-67a772bd-2iZfQl dev ns4eth3: ethtool -K  gso off gro off
  # Created /tmp/tmp.8ngPQFHWq5 (size 7183388	/tmp/tmp.8ngPQFHWq5) containing data sent by client
  # Created /tmp/tmp.aNLEp7GmM5 (size 2554908	/tmp/tmp.aNLEp7GmM5) containing data sent by server
  ...
  

  and sometimes doesn't

  # selftests: net/mptcp: mptcp_connect.sh
  # INFO: set ns4-67a77e0c-d8qLil dev ns4eth3: ethtool -K tso off gso off
  # Created /tmp/tmp.T3DnUSNyRd (size 4120604	/tmp/tmp.T3DnUSNyRd) containing data sent by client
  # Created /tmp/tmp.mveJmQppTp (size 435228	/tmp/tmp.mveJmQppTp) containing data sent by server
  ...
  

• net/mptcp:mptcp_connect.sh: For the source-compiled tests set. See above.

Specific tests: passed

Bug replication

The bug can be replicated with the following commands, as mention in the commit's message:

tc qdisc add dev lo root handle 1: qfq
tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
tc qdisc add dev lo parent 1:1 handle 2: plug
tc filter add dev lo parent 1: basic classid 1:1
ping -c1 127.0.0.1

The tests were performed on the referential and patched kernel.

Prerequisites

The tc commands above require the following kernel options to be enabled: CONFIG_NET_SCHED, CONFIG_NET_SCH_INGRESS, CONFIG_NET_SCH_QFQ, CONFIG_NET_SCH_PLUG, CONFIG_NET_CLS_BASIC.

All of them are enabled by default in the configs/kernel-4.18.0-x86_64.config configuration file for the tested x86_64 platform.

CONFIG_NET_SCHED=y
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_SCH_QFQ=m
CONFIG_NET_SCH_PLUG=m
CONFIG_NET_CLS_BASIC=m

Reference ciqlts8_8 (683666ad1a6d7754125126d580f2994b4e35b3cd)

Bug replicated successfully. Kernel crashed and machine automatically rebooted.

[root@ciqlts8_8 pvts]# tc qdisc add dev lo root handle 1: qfq
tc qdisc add dev lo root handle 1: qfq
[root@ciqlts8_8 pvts]# tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
xpkt 512
[root@ciqlts8_8 pvts]# tc qdisc add dev lo parent 1:1 handle 2: plug
tc qdisc add dev lo parent 1:1 handle 2: plug
[root@ciqlts8_8 pvts]# tc filter add dev lo parent 1: basic classid 1:1
tc filter add dev lo parent 1: basic classid 1:1
[root@ciqlts8_8 pvts]# ping -c1 127.0.0.1
ping -c1 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
[   30.846825] ------------[ cut here ]------------
[   30.849050] kernel BUG at mm/slub.c:376!
[   30.850468] invalid opcode: 0000 [#1] SMP PTI
[   30.851962] CPU: 2 PID: 1553 Comm: ping Kdump: loaded Not tainted 4.18.0-ciqlts8_8 #1
[   30.854641] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014
[   30.857114] RIP: 0010:set_freepointer.part.57+0x0/0x10
[   30.858983] Code: 83 ef 70 e9 22 6a fa ff 66 90 0f 1f 44 00 00 41 54 55 53 48 8b 06 48 85 c0 0f 85 56 86 00 00 5b 5d 41 5c e9 e2 ce ad 00 66 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 57 41 56 41 55
[   30.863746] RSP: 0018:ffffbbd94326cdb0 EFLAGS: 00010246
[   30.865158] RAX: ffffa08780f31200 RBX: ffffa087a87d8800 RCX: ffffa08780f31300
[   30.866906] RDX: 000000000000063e RSI: 0000000000000000 RDI: ffffa08740005180
[   30.868644] RBP: ffffe8164503cc00 R08: 0000000080000000 R09: ffffdbd93fd1b880
[   30.870065] R10: 0000000000000228 R11: 0000000000000228 R12: ffffa08740005180
[   30.871528] R13: ffffa08780f31200 R14: ffffffffb8e11fd5 R15: 0000000000000001
[   30.872931] FS:  00007f3bdf377480(0000) GS:ffffa08e9f900000(0000) knlGS:0000000000000000
[   30.874482] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.875579] CR2: 00007ffdc419d000 CR3: 000000011ac66003 CR4: 0000000000370ee0
[   30.876865] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.878090] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.879282] Call Trace:
[   30.879718]  <IRQ>
[   30.880056]  kfree+0x238/0x250
[   30.880583]  ? __netif_receive_skb_core+0x145/0xd10
[   30.881393]  kfree_skb_reason+0x45/0x110
[   30.882049]  __netif_receive_skb_core+0x145/0xd10
[   30.882843]  ? loopback_xmit+0xd8/0x130
[   30.883586]  process_backlog+0xaa/0x170
[   30.884236]  __napi_poll+0x2d/0x130
[   30.884829]  net_rx_action+0x252/0x320
[   30.885459]  __do_softirq+0xdc/0x2cf
[   30.886069]  do_softirq_own_stack+0x2a/0x40
[   30.886754]  </IRQ>
[   30.887102]  do_softirq.part.16+0x45/0x50
[   30.887769]  __local_bh_enable_ip+0x4f/0x60
[   30.888459]  ip_finish_output2+0x1a6/0x430
[   30.889140]  ip_output+0x70/0xf0
[   30.889676]  ? __ip_finish_output+0x1d0/0x1d0
[   30.890389]  ip_send_skb+0x15/0x40
[   30.890977]  ping_v4_sendmsg+0x5bf/0x780
[   30.891710]  ? sock_has_perm+0x80/0xa0
[   30.892404]  ? release_sock+0x43/0x90
[   30.893023]  ? sock_sendmsg+0x42/0x60
[   30.893641]  sock_sendmsg+0x42/0x60
[   30.894208]  __sys_sendto+0xee/0x160
[   30.894795]  ? syscall_trace_enter+0x1ff/0x2d0
[   30.895521]  ? ksys_ioctl+0x64/0xa0
[   30.896101]  __x64_sys_sendto+0x24/0x30
[   30.896740]  do_syscall_64+0x5b/0x1b0
[   30.897340]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
[   30.898145] RIP: 0033:0x7f3bde014b4b
[   30.898724] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 f5 4b 29 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89
[   30.901652] RSP: 002b:00007ffdc4096a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   30.902842] RAX: ffffffffffffffda RBX: 0000559edafb6700 RCX: 00007f3bde014b4b
[   30.903967] RDX: 0000000000000040 RSI: 0000559edafb6700 RDI: 0000000000000003
[   30.905093] RBP: 0000000000000040 R08: 0000559edafb3500 R09: 0000000000000010
[   30.906224] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdc4098190
[   30.907339] R13: 00007ffdc4096a70 R14: 00007ffdc4096b60 R15: 0000559edafb20a0
[   30.908450] Modules linked in: cls_basic sch_plug sch_qfq vfat fat intel_rapl_msr intel_rapl_common intel_uncore_frequency_common isst_if_common nfit libnvdimm kvm_intel iTCO_wdt iTCO_vendor_support kvm virtio_gpu irqbypass drm_shmem_helper drm_kms_helper rapl syscopyarea sysfillrect sysimgblt fb_sys_fops joydev pcspkr drm virtio_balloon i2c_i801 lpc_ich xfs libcrc32c sr_mod cdrom sg crct10dif_pclmul crc32_pclmul crc32c_intel virtio_net ahci ghash_clmulni_intel libahci serio_raw libata net_failover virtio_blk virtio_console failover virtiofs sunrpc dm_mirror dm_region_hash dm_log dm_mod fuse
[    0.000000] Linux version 4.18.0-ciqlts8_8 (pvts@ciqlts8_8) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-18) (GCC)) #1 SMP Sun Feb 2 16:43:15 UTC 2025
[    0.000000] Command line: elfcorehdr=0x6f000000 BOOT_IMAGE=(hd0,gpt2)/vmlinuz-4.18.0-ciqlts8_8 ro console=ttyS0,115200n8 no_timer_check net.ifnames=0 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail acpi_no_memhotplug transparent_hugepage=never nokaslr novmcoredd hest_disable disable_cpu_apicid=0 iTCO_wdt.pretimeout=0
...

Full log:
bug-replication–ciqlts8_8.log

Patch

Patch efficacy verified successfully. Repeating the steps doesn't result in a crash and the machine doesn't reboot.

Full log:
bug-replication–ciqlts8_8-CVE-2023-4921.log

A warning can be observed

qfq_dequeue: non-workconserving leaf

issued at sch_qfq.c. The work-conserving queue discipline is a qdisc which never leaves the outbound interface in idle unless the queue is empty, while non-work-conserving qdiscs may delay packets, for example to shape the traffic¹. The plug qdisc, being the leaf in the hierarchical qdiscs configuration used, is non-work-conserving, as it is able to suspend the packet flow. Multiple types of qdiscs are apparently not designed to work with non-work-conserving child qdiscs and issue similar warnings on skb == NULL condition: ets, hfsc, htb, drr. See also the message in b00355db3f88d96810a60011a30cfb2c3469409d

Patrick McHardy <[email protected]> suggested:
> How about making this flag and the warning message (in a out-of-line
> function) globally available? Other qdiscs (f.i. HFSC) can't deal with
> inner non-work-conserving qdiscs as well.

and in 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77, which includes qfq to the group above

A helper function for printing non-work-conserving alarms is added in
commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving
 warning handler."). In this commit, use qdisc_warn_nonwc() instead of
WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc.

The point is: the warning is related to the way the qdisc hierarchy has been defined in the bug replication script and not to the introduced changes.

Footnotes

¹ https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.terminology.html

[PlaidCat]

Starting github runners too

[gvrose8192]

LGTM - Thanks!

[bmastbergen]

🥌