Commit dccd772
committed
net_sched: hfsc: Fix a UAF vulnerability in class handling
jira VULN-67700
cve CVE-2025-37797
commit-author Cong Wang <[email protected]>
commit 3df275e
This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.
The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free
The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.
Fixes: 21f4d5c ("net_sched/hfsc: fix curve activation in hfsc_change_class()")
Reported-by: Gerrard Tai <[email protected]>
Reviewed-by: Konstantin Khlebnikov <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Reviewed-by: Jamal Hadi Salim <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 3df275e)
Signed-off-by: Brett Mastbergen <[email protected]>1 parent 7f5249a commit dccd772
1 file changed
+7
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
964 | 964 | | |
965 | 965 | | |
966 | 966 | | |
| 967 | + | |
967 | 968 | | |
968 | 969 | | |
969 | 970 | | |
| |||
994 | 995 | | |
995 | 996 | | |
996 | 997 | | |
| 998 | + | |
| 999 | + | |
| 1000 | + | |
| 1001 | + | |
| 1002 | + | |
| 1003 | + | |
997 | 1004 | | |
998 | | - | |
999 | | - | |
1000 | 1005 | | |
1001 | 1006 | | |
1002 | 1007 | | |
| |||
0 commit comments