| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121802-CVE-2025-68325-13a9@gregkh> Date: Thu, 18 Dec 2025 16:02:55 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68325: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged. The Linux kernel CVE team has assigned CVE-2025-68325 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.44 with commit ff57186b2cc39766672c4c0332323933e5faaa88 and fixed in 6.12.63 with commit 0b6216f9b3d1c33c76f74511026e5de5385ee520 Issue introduced in 6.17 with commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and fixed in 6.17.13 with commit 529c284cc2815c8350860e9a31722050fe7117cb Issue introduced in 6.17 with commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and fixed in 6.18.2 with commit 3ed6c458530a547ed0c9ea0b02b19bab620be88b Issue introduced in 6.17 with commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and fixed in 6.19-rc1 with commit 9fefc78f7f02d71810776fdeb119a05a946a27cc Issue introduced in 5.4.297 with commit 7689ab22de36f8db19095f6bdf11f28cfde92f5c Issue introduced in 5.10.241 with commit de04ddd2980b48caa8d7e24a7db2742917a8b280 Issue introduced in 5.15.190 with commit 0dacfc5372e314d1219f03e64dde3ab495a5a25e Issue introduced in 6.1.149 with commit 710866fc0a64eafcb8bacd91bcb1329eb7e5035f Issue introduced in 6.6.103 with commit aa12ee1c1bd260943fd6ab556d8635811c332eeb Issue introduced in 6.16.4 with commit 62d591dde4defb1333d202410609c4ddeae060b3 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68325 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sched/sch_cake.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520 https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc
Powered by blists - more mailing lists