CVE-2023-53733

Vulnerability

In the Linux kernel's net/sched/cls_u32 classifier, when the function u32_replace_hw_knode fails, the code does not undo the tcf_bind_filter operation that was performed earlier in u32_set_parms. This leaves a stale reference to a filter that may have been freed, leading to a use-after-free vulnerability [1].

Exploitation

An attacker with the ability to add or modify cls_u32 filters (typically requiring CAP_NET_ADMIN) can trigger this bug by causing u32_replace_hw_knode to fail. This can be done, for example, by exhausting hardware offload resources or by providing invalid parameters that cause the hardware offload function to return an error. The failure path then skips the unbind, leaving a dangling pointer [2].

Impact

A local attacker with sufficient privileges can exploit this to cause a use-after-free, potentially leading to a kernel crash (denial of service) or, in some cases, arbitrary code execution in the kernel context. The vulnerability affects systems that use the cls_u32 classifier with hardware offload enabled [3].

Mitigation

The fix has been applied in the Linux kernel stable trees. Users should update to a kernel version containing the commit that adds the missing tcf_unbind_filter call in the error path of u32_replace_hw_knode. No workaround is available other than disabling hardware offload for cls_u32 or restricting access to the netlink socket.