| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025052001-CVE-2025-37953-d825@gregkh>
Date: Tue, 20 May 2025 18:02:07 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37953: sch_htb: make htb_deactivate() idempotent
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
sch_htb: make htb_deactivate() idempotent
Alan reported a NULL pointer dereference in htb_next_rb_node()
after we made htb_qlen_notify() idempotent.
It turns out in the following case it introduced some regression:
htb_dequeue_tree():
|-> fq_codel_dequeue()
|-> qdisc_tree_reduce_backlog()
|-> htb_qlen_notify()
|-> htb_deactivate()
|-> htb_next_rb_node()
|-> htb_deactivate()
For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
clprio[prio]->ptr could be already set to NULL, which means
htb_next_rb_node() is vulnerable here.
For htb_deactivate(), although we checked qlen before calling it, in
case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
which triggers the warning inside.
To fix the issues here, we need to:
1) Make htb_deactivate() idempotent, that is, simply return if we
already call it before.
2) Make htb_next_rb_node() safe against ptr==NULL.
Many thanks to Alan for testing and for the reproducer.
The Linux kernel CVE team has assigned CVE-2025-37953 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1.138 with commit 73cf6af13153d62f9b76eff422eea79dbc70f15e and fixed in 6.1.139 with commit c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
Issue introduced in 6.6.90 with commit bbbf5e0f87078b715e7a665d662a2c0e77f044ae and fixed in 6.6.91 with commit 31ff70ad39485698cf779f2078132d80b57f6c07
Issue introduced in 6.12.28 with commit 0a188c0e197383683fd093ab1ea6ce9a5869a6ea and fixed in 6.12.29 with commit 98cd7ed92753090a714f0802d4434314526fe61d
Issue introduced in 6.14.6 with commit a61f1b5921761fbaf166231418bc1db301e5bf59 and fixed in 6.14.7 with commit c4792b9e38d2f61b07eac72f10909fa76130314b
Issue introduced in 6.15-rc2 with commit 5ba8b837b522d7051ef81bacf3d95383ff8edce5 and fixed in 6.15-rc6 with commit 3769478610135e82b262640252d90f6efb05be71
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-37953
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/sched/sch_htb.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71
Powered by blists - more mailing lists