CVE-2023-53021

CVE-2023-53021 is a use-after-free vulnerability in the Linux kernel's taprio queue discipline (sch_taprio) within the net/sched subsystem. The issue arises when installing a taprio qdisc with an invalid TCA_RATE attribute, causing qdisc_create to destroy the newly initialized qdisc and invoke taprio_destroy. However, an hrtimer used by taprio may have already fired, triggering advance_sched and __netif_schedule, which schedules net_tx_action to process the now-destroyed qdisc. This leads to use-after-free access, manifesting as a KMSAN-reported uninit-value error in spinlock operations during net_tx_action.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By sending a netlink message via rtnetlink to configure a malformed taprio qdisc, the attacker triggers the race condition, resulting in a kernel crash or potential arbitrary code execution due to the use-after-free (CWE-416). The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in an unscoped manner.

Kernel stable patches address the issue by ensuring destruction waits for any scheduled CPU to service the qdisc, as the scheduling cannot be undone. Relevant commits include 1200388a0b1c3c6fda48d4d2143db8f7e4ef5348, 3a415d59c1dbec9d772dbfab2d2520d98360caae, c53acbf2facfdfabdc6e6984a1a38f5d38b606a1, c60fe70078d6e515f424cb868d07e00411b27fbc, and d3b2d2820a005e43855fa71b80c4a4b194201c60, available in kernel.org stable trees.

The vulnerability was reported by syzbot with a reproducer, initially observed on kernel 6.0.0-rc2 in a Google Compute Engine environment, highlighting a syzkaller-fuzzing discovery rather than known real-world exploitation.