| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081956-CVE-2025-38553-4ecb@gregkh> Date: Tue, 19 Aug 2025 08:06:57 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38553: net/sched: Restrict conditions for adding duplicating netems to qdisc tree From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in the sk_buff struct. Considered too specific a use case to extend such a struct, though this would be a resilient fix and address other previous and potential future DOS bugs like the one described in loopy fun [2]. 2) Restrict netem_enqueue recursion depth like in act_mirred with a per cpu variable. However, netem_dequeue can call enqueue on its child, and the depth restriction could be bypassed if the child is a netem. 3) Use the same approach as in 2, but add metadata in netem_skb_cb to handle the netem_dequeue case and track a packet's involvement in duplication. This is an overly complex approach, and Jamal notes that the skb cb can be overwritten to circumvent this safeguard. 4) Prevent the addition of a netem to a qdisc tree if its ancestral path contains a netem. However, filters and actions can cause a packet to change paths when re-enqueued to the root from netem duplication, leading us to the current solution: prevent a duplicating netem from inhabiting the same tree as other netems. [1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ [2] https://lwn.net/Articles/719297/ The Linux kernel CVE team has assigned CVE-2025-38553 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.1.148 with commit 325f5ec67cc0a77f2d0d453445b9857f1cd06c76 Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.6.102 with commit 103c4e27ec9f5fe53022e46e976abf52c7221baf Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.12.42 with commit 795cb393e38977aa991e70a9363da0ee734b2114 Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.15.10 with commit 250f8796006c0f2bc638ce545f601d49ae8d528b Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.16.1 with commit 09317dfb681ac5a96fc69bea0c54441cf91b8270 Issue introduced in 2.6.12 with commit 0afb51e72855971dba83b3c6b70c547c2d1161fd and fixed in 6.17-rc1 with commit ec8e0e3d7adef940cdf9475e2352c0680189d14e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38553 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sched/sch_netem.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/325f5ec67cc0a77f2d0d453445b9857f1cd06c76 https://git.kernel.org/stable/c/103c4e27ec9f5fe53022e46e976abf52c7221baf https://git.kernel.org/stable/c/795cb393e38977aa991e70a9363da0ee734b2114 https://git.kernel.org/stable/c/250f8796006c0f2bc638ce545f601d49ae8d528b https://git.kernel.org/stable/c/09317dfb681ac5a96fc69bea0c54441cf91b8270 https://git.kernel.org/stable/c/ec8e0e3d7adef940cdf9475e2352c0680189d14e
Powered by blists - more mailing lists