fkie_cve-2025-21702
Vulnerability from fkie_nvd
Published
2025-02-18 15:15
Modified
2025-03-13 13:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0\n\nExpected behaviour:\nIn case we reach scheduler\u0027s limit, pfifo_tail_enqueue() will drop a\npacket in scheduler\u0027s queue and decrease scheduler\u0027s qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler\u0027s qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch-\u003elimit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the \u0027drop a packet\u0027 step will do nothing.\nThis means the scheduler\u0027s qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler\u0027s qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet\u0027s say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A\u0027s type must have \u0027-\u003egraft()\u0027 function to create parent/child relationship.\n   Let\u0027s say Qdisc_A\u0027s type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B\u0027s type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch-\u003elimit == 0`.\n - Qdisc_A is configured to route the enqueued\u0027s packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -\u003e pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B-\u003eq.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` =\u003e hfsc_enqueue() don\u0027t increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A-\u003eq.qlen == 0 and Qdisc_B-\u003eq.qlen == 1.\nReplace \u0027hfsc\u0027 with other type (for example: \u0027drr\u0027) still lead to the same problem.\nThis violate the design where parent\u0027s qlen should equal to the sum of its childrens\u0027qlen.\n\nBug impact: This issue can be used for user-\u003ekernel privilege escalation when it is reachable."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pfifo_tail_enqueue: Descartar nuevo paquete cuando sch-\u0026gt;limit == 0 Comportamiento esperado: En caso de que alcancemos el l\u00edmite del planificador, pfifo_tail_enqueue() descartar\u00e1 un paquete en la cola del planificador y disminuir\u00e1 el qlen del planificador en uno. Luego, pfifo_tail_enqueue() pone en cola un nuevo paquete y aumenta el qlen del planificador en uno. Finalmente, pfifo_tail_enqueue() devuelve el c\u00f3digo de estado `NET_XMIT_CN`. Comportamiento extra\u00f1o: En caso de que establezcamos `sch-\u0026gt;limit == 0` y activemos pfifo_tail_enqueue() en un planificador que no tiene ning\u00fan paquete, el paso \u0027descartar un paquete\u0027 no har\u00e1 nada. Esto significa que el qlen del planificador todav\u00eda tiene un valor igual a 0. Luego, continuamos poniendo en cola un nuevo paquete y aumentamos el qlen del planificador en uno. En resumen, podemos aprovechar pfifo_tail_enqueue() para aumentar qlen en uno y devolver el c\u00f3digo de estado `NET_XMIT_CN`. El problema es: digamos que tenemos dos qdiscs: Qdisc_A y Qdisc_B. - El tipo de Qdisc_A debe tener la funci\u00f3n \u0027-\u0026gt;graft()\u0027 para crear una relaci\u00f3n padre/hijo. Digamos que el tipo de Qdisc_A es `hfsc`. Poner en cola un paquete en esta qdisc activar\u00e1 `hfsc_enqueue`. - El tipo de Qdisc_B es pfifo_head_drop. Poner en cola un paquete en esta qdisc activar\u00e1 `pfifo_tail_enqueue`. - Qdisc_B est\u00e1 configurado para tener `sch-\u0026gt;limit == 0`. - Qdisc_A est\u00e1 configurado para enrutar el paquete en cola a Qdisc_B. Poner en cola un paquete a trav\u00e9s de Qdisc_A conducir\u00e1 a: - hfsc_enqueue(Qdisc_A) -\u0026gt; pfifo_tail_enqueue(Qdisc_B) - Qdisc_B-\u0026gt;q.qlen += 1 - pfifo_tail_enqueue() devuelve `NET_XMIT_CN` - hfsc_enqueue() comprueba `NET_XMIT_SUCCESS` y ve `NET_XMIT_CN` =\u0026gt; hfsc_enqueue() no aumenta el qlen de Qdisc_A. Todo el proceso conduce a una situaci\u00f3n en la que Qdisc_A-\u0026gt;q.qlen == 0 y Qdisc_B-\u0026gt;q.qlen == 1. Reemplazar \u0027hfsc\u0027 por otro tipo (por ejemplo: \u0027drr\u0027) sigue conduciendo al mismo problema. Esto viola el dise\u00f1o donde el qlen del padre debe ser igual a la suma del qlen de sus hijos. Impacto del error: este problema se puede utilizar para la escalada de privilegios de usuario a kernel cuando sea posible."
    }
  ],
  "id": "CVE-2025-21702",
  "lastModified": "2025-03-13T13:15:48.563",
  "metrics": {},
  "published": "2025-02-18T15:15:18.530",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.