ACK: [SRU][F/J/N/O][PATCH 0/2] CVE-2025-37752
Cengiz Can
cengiz.can at canonical.com
Thu May 15 07:27:54 UTC 2025
On 06-05-25 17:13:14, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net_sched: sch_sfq: use a temporary work area for validating configuration
>
> Many configuration parameters have influence on others (e.g. divisor
> -> flows -> limit, depth -> limit) and so it is difficult to correctly
> do all of the validation before applying the configuration. And if a
> validation error is detected late it is difficult to roll back a
> partially applied configuration.
>
> To avoid these issues use a temporary work area to update and validate
> the configuration and only then apply the configuration to the
> internal state.
>
> net_sched: sch_sfq: move the limit validation
>
> It is not sufficient to directly validate the limit on the data that
> the user passes as it can be updated based on how the other parameters
> are changed.
>
> Move the check at the end of the configuration update process to also
> catch scenarios where the limit is indirectly updated, for example
> with the following configurations:
>
> tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
> tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
>
> This fixes the following syzkaller reported crash:
>
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
> index 65535 is out of range for type 'struct sfq_head[128]'
> CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
> ubsan_epilogue lib/ubsan.c:231 [inline]
> __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
> sfq_link net/sched/sch_sfq.c:203 [inline]
> sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
> sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
> sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
> qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
> tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
> qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
> dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
> netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
> dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
>
> [Fix]
>
> Plucky: fixed separately
> Oracular: cherry-picked from upstream
> Noble: applied Focal patches
> Jammy: applied Focal patches
> Focal: backported from upstream
> Bionic: patch sent to ESM ML
> Xenial: patch sent to ESM ML
> Trusty: out of scope (medium CVE)
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The changes occur in the network stochastic fairness queueing
> discipline implementation. Issues may appear as anomolies related
> to that queueing discipline.
>
> [Notes]
>
> The following patch is a prerequisite for including the fix commit
> patch:
> 8c0cea59d40cf6dd13c2950437631dd614fbade6
> ("net_sched: sch_sfq: use a temporary work area for validating configuration")
>
> Octavian Purdila (2):
> net_sched: sch_sfq: use a temporary work area for validating
> configuration
> net_sched: sch_sfq: move the limit validation
Acked-by: Cengiz Can <cengiz.can at canonical.com>
>
> net/sched/sch_sfq.c | 66 ++++++++++++++++++++++++++++++++++-----------
> 1 file changed, 51 insertions(+), 15 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list