cve/published/2025/CVE-2025-38637.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net_sched: skbprio: Remove overly strict queue assertions

 In the current implementation, skbprio enqueue/dequeue contains an assertion
 that fails under certain conditions when SKBPRIO is used as a child qdisc under
 TBF with specific parameters. The failure occurs because TBF sometimes peeks at
 packets in the child qdisc without actually dequeuing them when tokens are
 unavailable.

 This peek operation creates a discrepancy between the parent and child qdisc
 queue length counters. When TBF later receives a high-priority packet,
 SKBPRIO's queue length may show a different value than what's reflected in its
 internal priority queue tracking, triggering the assertion.

 The fix removes this overly strict assertions in SKBPRIO, they are not
 necessary at all.

 The Linux kernel CVE team has assigned CVE-2025-38637 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.4.292 with commit 7abc8318ce0712182bf0783dcfdd9a6a8331160e
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.10.236 with commit 1284733bab736e598341f1d3f3b94e2a322864a8
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.15.180 with commit 32ee79682315e6d3c99947b3f38b078a09a66919
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.1.134 with commit 1dcc144c322a8d526b791135604c0663f1af9d85
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.6.87 with commit 864ca690ff135078d374bd565b9872f161c614bc
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.12.23 with commit 2f35b7673a3aa3d09b3eb05811669622ebaa98ca
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.13.11 with commit 2286770b07cb5268c03d11274b8efd43dff0d380
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.14.2 with commit 034b293bf17c124fec0f0e663f81203b00aa7a50
 	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.15 with commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-38637
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/sch_skbprio.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7abc8318ce0712182bf0783dcfdd9a6a8331160e
 	https://git.kernel.org/stable/c/1284733bab736e598341f1d3f3b94e2a322864a8
 	https://git.kernel.org/stable/c/32ee79682315e6d3c99947b3f38b078a09a66919
 	https://git.kernel.org/stable/c/1dcc144c322a8d526b791135604c0663f1af9d85
 	https://git.kernel.org/stable/c/864ca690ff135078d374bd565b9872f161c614bc
 	https://git.kernel.org/stable/c/2f35b7673a3aa3d09b3eb05811669622ebaa98ca
 	https://git.kernel.org/stable/c/2286770b07cb5268c03d11274b8efd43dff0d380
 	https://git.kernel.org/stable/c/034b293bf17c124fec0f0e663f81203b00aa7a50
 	https://git.kernel.org/stable/c/ce8fe975fd99b49c29c42e50f2441ba53112b2e8
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net_sched: skbprio: Remove overly strict queue assertions

	In the current implementation, skbprio enqueue/dequeue contains an assertion
	that fails under certain conditions when SKBPRIO is used as a child qdisc under
	TBF with specific parameters. The failure occurs because TBF sometimes peeks at
	packets in the child qdisc without actually dequeuing them when tokens are
	unavailable.

	This peek operation creates a discrepancy between the parent and child qdisc
	queue length counters. When TBF later receives a high-priority packet,
	SKBPRIO's queue length may show a different value than what's reflected in its
	internal priority queue tracking, triggering the assertion.

	The fix removes this overly strict assertions in SKBPRIO, they are not
	necessary at all.

	The Linux kernel CVE team has assigned CVE-2025-38637 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.4.292 with commit 7abc8318ce0712182bf0783dcfdd9a6a8331160e
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.10.236 with commit 1284733bab736e598341f1d3f3b94e2a322864a8
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 5.15.180 with commit 32ee79682315e6d3c99947b3f38b078a09a66919
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.1.134 with commit 1dcc144c322a8d526b791135604c0663f1af9d85
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.6.87 with commit 864ca690ff135078d374bd565b9872f161c614bc
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.12.23 with commit 2f35b7673a3aa3d09b3eb05811669622ebaa98ca
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.13.11 with commit 2286770b07cb5268c03d11274b8efd43dff0d380
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.14.2 with commit 034b293bf17c124fec0f0e663f81203b00aa7a50
	Issue introduced in 4.19 with commit aea5f654e6b78a0c976f7a25950155932c77a53f and fixed in 6.15 with commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38637
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/sch_skbprio.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7abc8318ce0712182bf0783dcfdd9a6a8331160e
	https://git.kernel.org/stable/c/1284733bab736e598341f1d3f3b94e2a322864a8
	https://git.kernel.org/stable/c/32ee79682315e6d3c99947b3f38b078a09a66919
	https://git.kernel.org/stable/c/1dcc144c322a8d526b791135604c0663f1af9d85
	https://git.kernel.org/stable/c/864ca690ff135078d374bd565b9872f161c614bc
	https://git.kernel.org/stable/c/2f35b7673a3aa3d09b3eb05811669622ebaa98ca
	https://git.kernel.org/stable/c/2286770b07cb5268c03d11274b8efd43dff0d380
	https://git.kernel.org/stable/c/034b293bf17c124fec0f0e663f81203b00aa7a50
	https://git.kernel.org/stable/c/ce8fe975fd99b49c29c42e50f2441ba53112b2e8