ACK: [SRU][F/J/N/O/P][PATCH 0/1] CVE-2025-37797

Kuba Pawlak kuba.pawlak at canonical.com
Thu May 8 11:42:00 UTC 2025 

On 8.05.2025 03:28, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net_sched: hfsc: Fix a UAF vulnerability in class handling
>
> This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
> handling. The issue occurs due to a time-of-check/time-of-use condition
> in hfsc_change_class() when working with certain child qdiscs like netem
> or codel.
>
> The vulnerability works as follows:
> 1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
> 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
>     codel, netem) might drop packets and empty the queue
> 3. The code continues assuming the queue is still non-empty, adding
>     the class to vttree
> 4. This breaks HFSC scheduler assumptions that only non-empty classes
>     are in vttree
> 5. Later, when the class is destroyed, this can lead to a Use-After-Free
>
> The fix adds a second queue length check after qdisc_peek_len() to verify
> the queue wasn't emptied.
>
> [Fix]
>
> Plucky:   applied Focal patch
> Oracular: applied Focal patch
> Noble:    applied Focal patch
> Jammy:    applied Focal patch
> Focal:    cherry picked from upstream
> Bionic:   patch sent to ESM ML
> Xenial:   patch sent to ESM ML
> Trusty:   out of scope (medium CVE)
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the Hierarchical Fair Service Curve network
> queuing discipline. Errors may appear as anomolies when using
> this queuing discipline.
>
> Cong Wang (1):
>    net_sched: hfsc: Fix a UAF vulnerability in class handling
>
>   net/sched/sch_hfsc.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
>
Acked-by: Kuba Pawlak <kuba.pawlak at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x216A9D7E3B63DCB4.asc
Type: application/pgp-keys
Size: 3139 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250508/b59b7018/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250508/b59b7018/attachment.sig>

More information about the kernel-team mailing list