ACK: [SRU][N][PATCH v2 0/1] CVE-2025-37797
Stefan Bader
stefan.bader at canonical.com
Thu Jul 10 06:24:19 UTC 2025
On 14.06.25 02:41, Ian Whitfield wrote:
> [Impact]
>
> net_sched: hfsc: Fix a UAF vulnerability in class handling
>
> This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
> handling. The issue occurs due to a time-of-check/time-of-use condition
> in hfsc_change_class() when working with certain child qdiscs like netem
> or codel.
>
> The vulnerability works as follows:
> 1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
> 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
> codel, netem) might drop packets and empty the queue
> 3. The code continues assuming the queue is still non-empty, adding
> the class to vttree
> 4. This breaks HFSC scheduler assumptions that only non-empty classes
> are in vttree
> 5. Later, when the class is destroyed, this can lead to a Use-After-Free
>
> The fix adds a second queue length check after qdisc_peek_len() to verify
> the queue wasn't emptied.
>
> [Backport]
>
> Cherry pick applied cleanly.
>
> [Fix]
>
> Plucky: fixed via stable updates
> Oracular: EOL
> Noble: cherry pick
> Jammy: fixed via stable updates
> Focal: sent to ESM ML
> Bionic: sent to ESM ML
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
> scheduler queue discipline (qdisc) with certain child qdiscs. An issue with this
> fix would be visible to the user as a use-after-free which could read private
> information or crash the kernel.
>
> v2: Updated targets for this patchset
>
> Cong Wang (1):
> net_sched: hfsc: Fix a UAF vulnerability in class handling
>
> net/sched/sch_hfsc.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250710/457fd88c/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250710/457fd88c/attachment-0001.sig>
More information about the kernel-team
mailing list