lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025072506-CVE-2025-38457-d302@gregkh>
Date: Fri, 25 Jul 2025 17:28:19 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Abort __tc_modify_qdisc if parent class does not exist

Lion's patch [1] revealed an ancient bug in the qdisc API.
Whenever a user creates/modifies a qdisc specifying as a parent another
qdisc, the qdisc API will, during grafting, detect that the user is
not trying to attach to a class and reject. However grafting is
performed after qdisc_create (and thus the qdiscs' init callback) is
executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
during init or change (such as fq, hhf, choke, etc), an issue
arises. For example, executing the following commands:

sudo tc qdisc add dev lo root handle a: htb default 2
sudo tc qdisc add dev lo parent a: handle beef fq

Qdiscs such as fq, hhf, choke, etc unconditionally invoke
qdisc_tree_reduce_backlog() in their control path init() or change() which
then causes a failure to find the child class; however, that does not stop
the unconditional invocation of the assumed child qdisc's qlen_notify with
a null class. All these qdiscs make the assumption that class is non-null.

The solution is ensure that qdisc_leaf() which looks up the parent
class, and is invoked prior to qdisc_create(), should return failure on
not finding the class.
In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
parentid doesn't correspond to a class, so that we can detect it
earlier on and abort before qdisc_create is called.

[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

The Linux kernel CVE team has assigned CVE-2025-38457 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.4.296 with commit 923a276c74e25073ae391e930792ac86a9f77f1e
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.10.240 with commit 90436e72c9622c2f70389070088325a3232d339f
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.15.189 with commit 25452638f133ac19d75af3f928327d8016952c8e
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.1.146 with commit 23c165dde88eac405eebb59051ea1fe139a45803
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.6.99 with commit 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.12.39 with commit 8ecd651ef24ab50123692a4e3e25db93cb11602a
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.15.7 with commit e28a383d6485c3bb51dc5953552f76c4dea33eea
	Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.16-rc6 with commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38457
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/sched/sch_api.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e
	https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f
	https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e
	https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803
	https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
	https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a
	https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea
	https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ