| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070323-CVE-2025-38107-9344@gregkh> Date: Thu, 3 Jul 2025 10:35:24 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38107: net_sched: ets: fix a race in ets_qdisc_change() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. The Linux kernel CVE team has assigned CVE-2025-38107 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.142 with commit 699d82e9a6db29d509a71f1f2f4316231e6232e6 and fixed in 5.10.239 with commit eb7b74e9754e1ba2088f914ad1f57a778b11894b Issue introduced in 5.15.66 with commit ce881ddbdc028fb1988b66e40e45ca0529c23b46 and fixed in 5.15.186 with commit 0b479d0aa488cb478eb2e1d8868be946ac8afb4f Issue introduced in 6.0 with commit b05972f01e7d30419987a1f221b5593668fd6448 and fixed in 6.1.142 with commit 347867cb424edae5fec1622712c8dd0a2c42918f Issue introduced in 6.0 with commit b05972f01e7d30419987a1f221b5593668fd6448 and fixed in 6.6.94 with commit 0383b25488a545be168744336847549d4a2d3d6c Issue introduced in 6.0 with commit b05972f01e7d30419987a1f221b5593668fd6448 and fixed in 6.12.34 with commit 073f64c03516bcfaf790f8edc772e0cfb8a84ec3 Issue introduced in 6.0 with commit b05972f01e7d30419987a1f221b5593668fd6448 and fixed in 6.15.3 with commit fed94bd51d62d2e0e006aa61480e94e5cd0582b0 Issue introduced in 6.0 with commit b05972f01e7d30419987a1f221b5593668fd6448 and fixed in 6.16-rc2 with commit d92adacdd8c2960be856e0b82acc5b7c5395fddb Issue introduced in 5.4.213 with commit fffa19b5e58c34004a0d6f642d9c24b11d213994 Issue introduced in 5.19.8 with commit fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38107 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sched/sch_ets.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3 https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0 https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb
Powered by blists - more mailing lists