fkie_cve-2025-38350
Vulnerability from fkie_nvd
Published
2025-07-19 07:15
Modified
2025-07-22 13:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes\u0027 dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent\u0027s parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n    tc qdisc add dev lo root handle 1: drr\n    tc filter add dev lo parent 1: basic classid 1:1\n    tc class add dev lo parent 1: classid 1:1 drr\n    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n    tc qdisc add dev lo parent 2:1 handle 3: netem\n    tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n    tc class delete dev lo classid 1:1\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Siempre pasar notificaciones cuando la clase hija se vac\u00eda. Ciertas qdisc con clase pueden invocar el controlador de desencolado de sus clases en una operaci\u00f3n de encolado. Esto puede vaciar inesperadamente la qdisc hija y, por lo tanto, hacer que una clase en vuelo sea pasiva mediante qlen_notify(). La mayor\u00eda de las qdisc no esperan este comportamiento en este momento y pueden reactivar la clase eventualmente de todos modos, lo que conducir\u00e1 a un use-after-free. El commit de correcci\u00f3n referenciada intent\u00f3 corregir este comportamiento para el caso HFSC al mover la contabilidad del backlog, aunque esto result\u00f3 ser incompleto ya que el padre de la clase padre tambi\u00e9n podr\u00eda encontrarse con el problema. El siguiente reproductor demuestra este use-after-free: socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Dado que los problemas de contabilidad de atrasos que provocan un use-after-frees en punteros de clase obsoletos son un patr\u00f3n recurrente en este punto, este parche adopta un enfoque diferente. En lugar de intentar corregir la contabilidad, el parche garantiza que qdisc_tree_reduce_backlog siempre llame a qlen_notify cuando la qdisc secundaria est\u00e9 vac\u00eda. Esto soluciona el problema porque la eliminaci\u00f3n de qdiscs siempre implica una llamada a qdisc_reset() o qdisc_purge_queue(), que finalmente restablece su qlen a 0, lo que provoca que el siguiente qdisc_tree_reduce_backlog() informe a la clase principal. Tenga en cuenta que esto puede llamar a qlen_notify en clases pasivas varias veces. Esto no es un problema despu\u00e9s de la serie de parches recientes que hicieron que todos los controladores qlen_notify() de las qdiscs con clase sean idempotentes."
    }
  ],
  "id": "CVE-2025-38350",
  "lastModified": "2025-07-22T13:06:07.260",
  "metrics": {},
  "published": "2025-07-19T07:15:22.043",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.