[SRU][J/N/O/P][PATCH v2 0/2] CVE-2025-37890

Ian Whitfield ian.whitfield at canonical.com
Wed Jun 4 17:47:16 UTC 2025 

[Impact]

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).

This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

[Backport]

The fix commit marked for this CVE, 141d34391abb ("net_sched: hfsc: Fix a UAF
vulnerability in class with netem as child qdisc") cherry-picked cleanly. Two
follow-up commits were added to further resolve UAF vulnerabilities in the same
function. Jammy had already received the initial fix via stable updates, so this
patchset adds just the two follow-ups for that kernel.

[Fix]

Plucky:   cherry picked fix and follow-ups
Oracular: cherry picked fix and follow-ups
Noble:    cherry picked fix and follow-ups
Jammy:    cherry picked follow-ups
Focal:    sent to ESM ML
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
scheduler queue discipline (qdisc) with a child Network Emulator (netem) qdisc.
An issue with this fix would be visible to the user as a use-after-free which
could read private information or crash the kernel.

v2: Added follow-up commit ac9fe7dd8e73 ("net_sched: hfsc: Address reentrant
 enqueue adding class to eltree twice") which conflicted with 3f981138109f
 ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") which
 resolved another UAF bug in the same function. The conflicting commit was also
 pulled in so that all commits applied cleanly and this function is most up to
 date with UAF vulnerability patches.

Cong Wang (1):
  sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

Pedro Tammela (1):
  net_sched: hfsc: Address reentrant enqueue adding class to eltree
    twice

Victor Nogueira (1):
  net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
    qdisc

 net/sched/sch_hfsc.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list