/plushcap/analysis/cloudflare/cve-2022-47929-traffic-control-noqueue-no-problem

CVE-2022-47929: traffic control noqueue no problem?

What's this blog post about?

A kernel-level vulnerability was discovered that can be triggered by unprivileged users through namespaces. This issue stems from a coding error introduced back in 2015 when noqueue qdisc functionality was added to the Linux kernel's networking stack. The bug allows an attacker to exploit this feature and cause a denial of service (DoS) by crashing the host's kernel. The root cause of the problem lies in the fact that the noqueue qdisc does not necessarily drop packets; instead, it simply assumes there is no queue for them. This assumption can be exploited to trigger a bug where the kernel attempts to enqueue a packet into a non-existent queue, leading to an unchecked NULL pointer dereference and eventual crash. The vulnerability was demonstrated with HTB (Hierarchical Token Bucket), a classful qdisc that allows network traffic to be managed by creating parent/child hierarchies for different classes of packets. When noqueue is applied as the root qdisc for an interface, the path is essentially to allow packets to be processed. To prevent this vulnerability (Ck) was calculated and based on these calculations are accurate.

Company
Cloudflare

Date published
Jan. 31, 2023

Author(s)
Frederick Lawler

Word count
1777

Language
English

Hacker News points
2


By Matt Makai. 2021-2024.