[SRU][F/J/N/O/P][PATCH 0/1] CVE-2025-37797

Stefan Bader stefan.bader at canonical.com
Fri May 23 09:20:13 UTC 2025 

On 08.05.25 03:28, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> net_sched: hfsc: Fix a UAF vulnerability in class handling
> 
> This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
> handling. The issue occurs due to a time-of-check/time-of-use condition
> in hfsc_change_class() when working with certain child qdiscs like netem
> or codel.
> 
> The vulnerability works as follows:
> 1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
> 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
>     codel, netem) might drop packets and empty the queue
> 3. The code continues assuming the queue is still non-empty, adding
>     the class to vttree
> 4. This breaks HFSC scheduler assumptions that only non-empty classes
>     are in vttree
> 5. Later, when the class is destroyed, this can lead to a Use-After-Free
> 
> The fix adds a second queue length check after qdisc_peek_len() to verify
> the queue wasn't emptied.
> 
> [Fix]
> 
> Plucky:   applied Focal patch
> Oracular: applied Focal patch
> Noble:    applied Focal patch
> Jammy:    applied Focal patch
> Focal:    cherry picked from upstream
> Bionic:   patch sent to ESM ML
> Xenial:   patch sent to ESM ML
> Trusty:   out of scope (medium CVE)
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The change affects the Hierarchical Fair Service Curve network
> queuing discipline. Errors may appear as anomolies when using
> this queuing discipline.
> 
> Cong Wang (1):
>    net_sched: hfsc: Fix a UAF vulnerability in class handling
> 
>   net/sched/sch_hfsc.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
> 

Just as a reminder, since this got NACK'ed it requires a re-submission 
to be considered.

-- 
- Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250523/0dd79ff4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250523/0dd79ff4/attachment-0001.sig>

More information about the kernel-team mailing list