fkie_cve-2025-38000
Vulnerability from fkie_nvd
Published
2025-06-06 13:15
Modified
2025-06-06 14:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
child qdisc's peek() operation before incrementing sch->q.qlen and
sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
trigger an immediate dequeue and potential packet drop. In such cases,
qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
have not yet been updated, leading to inconsistent queue accounting. This
can leave an empty HFSC class in the active list, causing further
consequences like use-after-free.
This patch fixes the bug by moving the increment of sch->q.qlen and
sch->qstats.backlog before the call to the child qdisc's peek() operation.
This ensures that queue length and backlog are always accurate when packet
drops or dequeues are triggered during the peek.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc\u0027s peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc\u0027s qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc\u0027s peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sch_hfsc: Se corrige el error de contabilidad de qlen al usar peek en hfsc_enqueue(). Al encolar el primer paquete en una clase HFSC, hfsc_enqueue() llama a la operaci\u00f3n peek() de la qdisc secundaria antes de incrementar sch-\u0026gt;q.qlen y sch-\u0026gt;qstats.backlog. Si la qdisc secundaria usa qdisc_peek_dequeued(), esto puede desencadenar una desencola inmediata y una posible p\u00e9rdida de paquetes. En tales casos, se llama a qdisc_tree_reduce_backlog(), pero el qlen y el backlog de la qdisc HFSC a\u00fan no se han actualizado, lo que provoca una contabilidad de cola inconsistente. Esto puede dejar una clase HFSC vac\u00eda en la lista activa, lo que causa consecuencias adicionales como el use-after-free. Este parche corrige el error desplazando el incremento de sch-\u0026gt;q.qlen y sch-\u0026gt;qstats.backlog antes de la llamada a la operaci\u00f3n peek() de la qdisc secundaria. Esto garantiza que la longitud de la cola y el backlog sean siempre precisos cuando se activan los descartes o las desencolas de paquetes durante la inspecci\u00f3n."
}
],
"id": "CVE-2025-38000",
"lastModified": "2025-06-06T14:06:58.193",
"metrics": {},
"published": "2025-06-06T13:15:39.870",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…