| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091144-CVE-2025-39766-7465@gregkh>
Date: Thu, 11 Sep 2025 18:56:45 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39766: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
The Linux kernel CVE team has assigned CVE-2025-39766 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 5.4.297 with commit 7689ab22de36f8db19095f6bdf11f28cfde92f5c
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 5.10.241 with commit de04ddd2980b48caa8d7e24a7db2742917a8b280
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 5.15.190 with commit 0dacfc5372e314d1219f03e64dde3ab495a5a25e
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 6.1.149 with commit 710866fc0a64eafcb8bacd91bcb1329eb7e5035f
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 6.6.103 with commit aa12ee1c1bd260943fd6ab556d8635811c332eeb
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 6.12.44 with commit ff57186b2cc39766672c4c0332323933e5faaa88
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 6.16.4 with commit 62d591dde4defb1333d202410609c4ddeae060b3
Issue introduced in 4.19 with commit 046f6fd5daefac7f5abdafb436b30f63bc7c602b and fixed in 6.17-rc3 with commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39766
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/sched/sch_cake.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7689ab22de36f8db19095f6bdf11f28cfde92f5c
https://git.kernel.org/stable/c/de04ddd2980b48caa8d7e24a7db2742917a8b280
https://git.kernel.org/stable/c/0dacfc5372e314d1219f03e64dde3ab495a5a25e
https://git.kernel.org/stable/c/710866fc0a64eafcb8bacd91bcb1329eb7e5035f
https://git.kernel.org/stable/c/aa12ee1c1bd260943fd6ab556d8635811c332eeb
https://git.kernel.org/stable/c/ff57186b2cc39766672c4c0332323933e5faaa88
https://git.kernel.org/stable/c/62d591dde4defb1333d202410609c4ddeae060b3
https://git.kernel.org/stable/c/15de71d06a400f7fdc15bf377a2552b0ec437cf5
Powered by blists - more mailing lists