[FIPS 8.10] net_sched: hfsc: Address reentrant enqueue adding class to eltree twice #512
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… qdisc jira VULN-68293 jira VULN-68292 cve CVE-2025-37890 commit-author Victor Nogueira <[email protected]> commit 141d343 As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1 ("sched: Fix detection of empty queues in child qdiscs") Reported-by: Gerrard Tai <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> Signed-off-by: Victor Nogueira <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 141d343) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-68293 jira VULN-68292 cve-bf CVE-2025-37890 commit-author Pedro Tammela <[email protected]> commit ac9fe7d Savino says: "We are writing to report that this recent patch (141d343) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u Fixes: 37d9cf1 ("sched: Fix detection of empty queues in child qdiscs") Reported-by: Savino Dicanosa <[email protected]> Reported-by: William Liu <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> Tested-by: Victor Nogueira <[email protected]> Signed-off-by: Pedro Tammela <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit ac9fe7d) Signed-off-by: Marcin Wcisło <[email protected]>
PlaidCat
requested review from
kerneltoast,
PlaidCat,
bmastbergen,
thefossguy-ciq and
shreeya-patel98
shreeya-patel98
approved these changes
Aug 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[FIPS 8.10]
CVE-2025-37890
VULN-68293
VULN-68292
Problem
https://access.redhat.com/security/cve/CVE-2025-37890
Applicability: yes
The patch relates to the
sch_hfscmodule, enabled with theNET_SCH_HFSCoption. It's set tomin all configs of FIPS 8.10:The commit 37d9cf1 marked as introducing the bug was backported to FIPS 8.10 in f3e1778. The mainline fix 141d343 wasn't backported. For the full picture please refer to the "Appendix: Bug timeline" section in #510.
Solution
The same situation as in #490, which see.
kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Coverage
Only the net-related tests were run.
net/forwarding(exceptsch_ets.sh,sch_tbf_root.sh,mirror_gre_bridge_1d_vlan.sh,mirror_gre_vlan_bridge_1q.sh,tc_actions.sh,bridge_igmp.sh,sch_tbf_prio.sh,sch_tbf_ets.sh,ipip_hier_gre_keys.sh),net/mptcp(exceptmptcp_join.sh,simult_flows.sh),net(exceptudpgso_bench.sh,gro.sh,ip_defrag.sh,txtimestamp.sh,xfrm_policy.sh,reuseport_addr_any.sh,udpgro_fwd.sh),netfilter(exceptnft_trans_stress.sh)Reference
kselftests–fips8c–run1.log
kselftests–fips8c–run2.log
Patch
kselftests–fips8c-CVE-2025-37890–run1.log
kselftests–fips8c-CVE-2025-37890–run2.log
Comparison
The results for the reference and the patch are the same:
Specific tests: skipped