CVE-2023-31436 Overview
CVE-2023-31436 is an out-of-bounds write vulnerability in the Linux kernel's Quick Fair Queueing (QFQ) network scheduler. The flaw exists in the qfq_change_class function within net/sched/sch_qfq.c, where insufficient validation of the lmax parameter allows it to exceed QFQ_MIN_LMAX, leading to memory corruption. This vulnerability affects Linux kernel versions prior to 6.2.13 and can be exploited by local attackers to achieve privilege escalation or cause system instability.
Critical Impact
Local attackers with limited privileges can exploit this out-of-bounds write vulnerability to corrupt kernel memory, potentially leading to privilege escalation, arbitrary code execution in kernel context, or denial of service conditions.
Affected Products
- Linux Kernel versions prior to 6.2.13
- Linux Kernel versions in 4.x, 5.x, and 6.x branches (prior to patched versions)
- Various Linux distributions including Debian (addressed in DSA-5402)
Discovery Timeline
- April 28, 2023 - CVE-2023-31436 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-31436
Vulnerability Analysis
The vulnerability resides in the QFQ (Quick Fair Queueing) packet scheduler, a kernel component responsible for managing network traffic queuing and scheduling. The flaw occurs in qfq_change_class(), which handles the configuration of QFQ classes through the traffic control (tc) subsystem.
The root issue is an improper bounds check on the lmax (maximum packet length) parameter. When a user configures a QFQ class without explicitly specifying TCA_QFQ_LMAX, the code falls back to using psched_mtu() to determine the maximum packet length. However, the original code only validated lmax when it was explicitly provided via netlink attributes, not when derived from the MTU default path.
This oversight means that if psched_mtu() returns a value outside the valid range (less than QFQ_MIN_LMAX or greater than 1 << QFQ_MTU_SHIFT), the unchecked value propagates into the scheduler's internal data structures, leading to out-of-bounds memory access in subsequent operations like qfq_activate_agg().
Root Cause
The vulnerability stems from CWE-787 (Out-of-bounds Write). The conditional validation logic placed the bounds check inside the if (tb[TCA_QFQ_LMAX]) block, meaning the check only executed when lmax was explicitly provided. When the default MTU path was taken via the else branch, no validation occurred. This allowed potentially invalid lmax values to be used in array index calculations, resulting in slab out-of-bounds writes in the kernel heap.
Attack Vector
Exploitation requires local access to the system with the ability to configure network traffic control settings. An attacker with CAP_NET_ADMIN capability or equivalent permissions can craft malicious netlink messages to the kernel's traffic control subsystem, specifying QFQ class parameters that trigger the vulnerable code path. The out-of-bounds write can corrupt adjacent kernel heap objects, potentially enabling:
- Kernel heap corruption leading to privilege escalation
- Arbitrary kernel memory modification
- Denial of service through kernel panic or system instability
// Security patch from net/sched/sch_qfq.c
// Source: https://github.com/torvalds/linux/commit/3037933448f60f9acb705997eae62013ecb81e0d
} else
weight = 1;
- if (tb[TCA_QFQ_LMAX]) {
+ if (tb[TCA_QFQ_LMAX])
lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
- pr_notice("qfq: invalid max length %u\n", lmax);
- return -EINVAL;
- }
- } else
+ else
lmax = psched_mtu(qdisc_dev(sch));
+ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
+ pr_notice("qfq: invalid max length %u\n", lmax);
+ return -EINVAL;
+ }
+
inv_w = ONE_FP / weight;
weight = ONE_FP / inv_w;
Source: GitHub Linux Commit 3037933
Detection Methods for CVE-2023-31436
Indicators of Compromise
- Unexpected kernel crashes or oops messages referencing qfq_activate_agg or sch_qfq module
- Suspicious traffic control configuration attempts via tc commands targeting QFQ scheduler
- Kernel log entries showing "qfq: invalid max length" warnings
- Anomalous netlink socket activity from unprivileged processes attempting network scheduler modifications
Detection Strategies
- Monitor kernel logs for slab corruption warnings or out-of-bounds access messages related to network scheduling
- Implement auditd rules to track tc command execution and netlink socket operations
- Deploy kernel integrity monitoring to detect unauthorized modifications to traffic control configurations
- Use SentinelOne's kernel-level monitoring to detect exploitation attempts targeting the QFQ scheduler
Monitoring Recommendations
- Enable kernel KASAN (Kernel Address Sanitizer) in development environments to detect out-of-bounds memory access
- Configure syslog alerting for kernel oops and panic events involving network scheduler components
- Monitor for processes attempting to load or configure the sch_qfq kernel module
- Implement network namespace monitoring to detect privilege escalation attempts via traffic control manipulation
How to Mitigate CVE-2023-31436
Immediate Actions Required
- Update the Linux kernel to version 6.2.13 or later immediately
- Apply distribution-specific security patches (Debian DSA-5402, or equivalent for your distribution)
- If immediate patching is not possible, consider unloading the sch_qfq kernel module if QFQ scheduling is not required
- Review and restrict CAP_NET_ADMIN capability assignments to minimize the attack surface
Patch Information
The vulnerability was fixed in Linux kernel version 6.2.13. The patch (commit 3037933448f60f9acb705997eae62013ecb81e0d) restructures the validation logic to ensure lmax bounds checking occurs regardless of whether the value is explicitly provided or derived from the MTU default. Major Linux distributions have released corresponding security updates:
- Debian: Security Advisory DSA-5402
- Debian LTS: Announcement June 2023
- NetApp: Security Advisory NTAP-20230609-0001
- Kernel Live Patches are available via Packet Storm Security Notices for supported distributions
Workarounds
- Unload the sch_qfq module if QFQ packet scheduling is not required: modprobe -r sch_qfq
- Blacklist the sch_qfq module to prevent automatic loading by adding it to /etc/modprobe.d/blacklist.conf
- Restrict access to network namespaces and traffic control capabilities using Linux Security Modules (LSM)
- Implement container security policies to prevent CAP_NET_ADMIN capability assignment to untrusted workloads
# Configuration example - Disable QFQ scheduler module
# Unload the sch_qfq module if currently loaded
sudo modprobe -r sch_qfq
# Prevent automatic loading by blacklisting
echo "blacklist sch_qfq" | sudo tee /etc/modprobe.d/blacklist-qfq.conf
# Verify the module is not loaded
lsmod | grep sch_qfq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
