lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025050137-CVE-2025-37752-653f@gregkh>
Date: Thu,  1 May 2025 14:56:58 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37752: net_sched: sch_sfq: move the limit validation

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net_sched: sch_sfq: move the limit validation

It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.

Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:

tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

This fixes the following syzkaller reported crash:

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
 sfq_link net/sched/sch_sfq.c:203 [inline]
 sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
 dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

The Linux kernel CVE team has assigned CVE-2025-37752 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.1.129 with commit 35d0137305ae2f97260a9047f445bd4434bd6cc7 and fixed in 6.1.135 with commit 1348214fa042a71406964097e743c87a42c85a49
	Issue introduced in 6.6.76 with commit 833e9a1c27b82024db7ff5038a51651f48f05e5e and fixed in 6.6.88 with commit d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
	Issue introduced in 6.12.13 with commit 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 and fixed in 6.12.24 with commit f86293adce0c201cfabb283ef9d6f21292089bb8
	Issue introduced in 6.13.2 with commit 7fefc294204f10a3405f175f4ac2be16d63f135e and fixed in 6.13.12 with commit 5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.14.3 with commit b36a68192037d1614317a09b0d78c7814e2eecf9
	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.15-rc2 with commit b3bf8f63e6179076b57c9de660c9f80b5abefe70

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37752
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/sched/sch_sfq.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49
	https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
	https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8
	https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
	https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9
	https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ