fkie_cve-2025-38457
Vulnerability from fkie_nvd
Published
2025-07-25 16:15
Modified
2025-07-29 14:14
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion\u0027s patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs\u0027 init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc\u0027s qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn\u0027t correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Abort __tc_modify_qdisc si la clase padre no existe. El parche de Lion [1] revel\u00f3 un error antiguo en la API de qdisc. Siempre que un usuario crea o modifica una qdisc que especifica otra qdisc como padre, la API de qdisc detecta, durante el injerto, que el usuario no intenta asociarse a una clase y lo rechaza. Sin embargo, el injerto se realiza despu\u00e9s de ejecutar qdisc_create (y, por lo tanto, la devoluci\u00f3n de llamada de inicio de la qdisc). En las qdisc que eventualmente llaman a qdisc_tree_reduce_backlog durante la inicializaci\u00f3n o el cambio (como fq, hhf, choke, etc.), surge un problema. Por ejemplo, al ejecutar los siguientes comandos: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Las Qdisc como fq, hhf, choke, etc., invocan incondicionalmente qdisc_tree_reduce_backlog() en su ruta de control init() o change(), lo que provoca un error al no encontrar la clase hija; sin embargo, esto no detiene la invocaci\u00f3n incondicional de qlen_notify de la qdisc hija asumida con una clase nula. Todas estas qdisc asumen que la clase no es nula. La soluci\u00f3n es garantizar que qdisc_leaf(), que busca la clase padre y se invoca antes que qdisc_create(), devuelva un error al no encontrar la clase. En este parche, aprovechamos qdisc_leaf para devolver ERR_PTR siempre que el parentid no corresponda a una clase, de modo que podamos detectarlo antes y abortar antes de que se llame a qdisc_create. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
    }
  ],
  "id": "CVE-2025-38457",
  "lastModified": "2025-07-29T14:14:55.157",
  "metrics": {},
  "published": "2025-07-25T16:15:31.403",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.