NACK: [SRU][J/N/O/P][PATCH 0/1] CVE-2025-37890
Ian Whitfield
ian.whitfield at canonical.com
Tue Jun 3 20:57:31 UTC 2025
On Wed, May 28, 2025 at 04:14:33PM -0700, Ian Whitfield wrote:
> [Impact]
>
> net_sched: hfsc: Fix a UAF vulnerability in class
>
> As described in Gerrard's report [1], we have a UAF case when an hfsc class
> has a netem child qdisc. The crux of the issue is that hfsc is assuming
> that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
> the class in the vttree or eltree (which is not true for the netem
> duplicate case).
>
> This patch checks the n_active class variable to make sure that the code
> won't insert the class in the vttree or eltree twice, catering for the
> reentrant case.
>
> [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
>
> [Backport]
>
> The patch applied cleanly.
>
> [Fix]
>
> Plucky: cherry pick
> Oracular: cherry pick
> Noble: cherry pick
> Jammy: cherry pick
> Focal: sent to ESM ML
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
> scheduler queue discipline (qdisc) with a child Network Emulator (netem) qdisc.
> An issue with this fix would be visible to the user as a use-after-free which
> could read private information or crash the kernel.
>
> Victor Nogueira (1):
> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
> qdisc
>
> net/sched/sch_hfsc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
>
As pointed out by Kuba Pawlak on the ESM mailing list, a second commit is
required to fully address this CVE:
ac9fe7dd8e73 ("net_sched: hfsc: Address reentrant enqueue adding class to eltree twice")
I'll resubmit with a v2 that has this patch included.
More information about the kernel-team
mailing list