[SRU][J/N/O/P][PATCH 0/1] CVE-2025-37890
Ian Whitfield
ian.whitfield at canonical.com
Wed May 28 23:14:33 UTC 2025
[Impact]
net_sched: hfsc: Fix a UAF vulnerability in class
As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).
This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
[Backport]
The patch applied cleanly.
[Fix]
Plucky: cherry pick
Oracular: cherry pick
Noble: cherry pick
Jammy: cherry pick
Focal: sent to ESM ML
Bionic: not affected
Xenial: not affected
Trusty: not affected
[Test Case]
Compile and boot tested.
[Where problems could occur]
This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
scheduler queue discipline (qdisc) with a child Network Emulator (netem) qdisc.
An issue with this fix would be visible to the user as a use-after-free which
could read private information or crash the kernel.
Victor Nogueira (1):
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
qdisc
net/sched/sch_hfsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.0
More information about the kernel-team
mailing list