lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025090447-CVE-2025-38684-db4c@gregkh>
Date: Thu,  4 Sep 2025 17:32:49 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38684: net/sched: ets: use old 'nbands' while purging unused classes

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net/sched: ets: use old 'nbands' while purging unused classes

Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
the cleanup should be done with the old one. The problem is here since my
first attempts to fix ets_qdisc_change(), but it surfaced again after the
recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
assigning a new value of 'q->nbands', so that all purge operations find a
consistent configuration:

 - old 'q->nbands' because it's needed by ets_class_find()
 - old 'q->nstrict' because it's needed by ets_class_is_strict()

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: Oops: 0000 [#1] SMP NOPTI
 CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
 Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
 RSP: 0018:ffffba186009f400 EFLAGS: 00010202
 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
 FS:  00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  ets_class_qlen_notify+0x65/0x90 [sch_ets]
  qdisc_tree_reduce_backlog+0x74/0x110
  ets_qdisc_change+0x630/0xa40 [sch_ets]
  __tc_modify_qdisc.constprop.0+0x216/0x7f0
  tc_modify_qdisc+0x7c/0x120
  rtnetlink_rcv_msg+0x145/0x3f0
  netlink_rcv_skb+0x53/0x100
  netlink_unicast+0x245/0x390
  netlink_sendmsg+0x21b/0x470
  ____sys_sendmsg+0x39d/0x3d0
  ___sys_sendmsg+0x9a/0xe0
  __sys_sendmsg+0x7a/0xd0
  do_syscall_64+0x7d/0x160
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f2155114084
 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
 R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
  </TASK>

 [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
 [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

The Linux kernel CVE team has assigned CVE-2025-38684 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 5.10.241 with commit bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 5.15.190 with commit be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.1.149 with commit 97ec167cd2e8a81a2d87331a2ed92daf007542c8
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.6.103 with commit 84a24fb446ee07b22b64aae6f0e3f4a38266310a
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.12.43 with commit 5b3b346bc4c2aa2c428735438a11989d251f32f1
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.15.11 with commit d69f4a258cd91b3bcef7089eb0401005aae2aed5
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.16.2 with commit 970c1c731c4ede46d05f5b0355724d1e400cfbca
	Issue introduced in 5.6 with commit dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 and fixed in 6.17-rc2 with commit 87c6efc5ce9c126ae4a781bc04504b83780e3650
	Issue introduced in 5.4.296 with commit 3b290923ad2b23596208c1e29520badef4356a43

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38684
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/sched/sch_ets.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41
	https://git.kernel.org/stable/c/be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b
	https://git.kernel.org/stable/c/97ec167cd2e8a81a2d87331a2ed92daf007542c8
	https://git.kernel.org/stable/c/84a24fb446ee07b22b64aae6f0e3f4a38266310a
	https://git.kernel.org/stable/c/5b3b346bc4c2aa2c428735438a11989d251f32f1
	https://git.kernel.org/stable/c/d69f4a258cd91b3bcef7089eb0401005aae2aed5
	https://git.kernel.org/stable/c/970c1c731c4ede46d05f5b0355724d1e400cfbca
	https://git.kernel.org/stable/c/87c6efc5ce9c126ae4a781bc04504b83780e3650

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ