cve/published/2025/CVE-2025-37752.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37752: net_sched: sch_sfq: move the limit validation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net_sched: sch_sfq: move the limit validation

 It is not sufficient to directly validate the limit on the data that
 the user passes as it can be updated based on how the other parameters
 are changed.

 Move the check at the end of the configuration update process to also
 catch scenarios where the limit is indirectly updated, for example
 with the following configurations:

 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

 This fixes the following syzkaller reported crash:

 ------------[ cut here ]------------
 UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
 index 65535 is out of range for type 'struct sfq_head[128]'
 CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
  ubsan_epilogue lib/ubsan.c:231 [inline]
  __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
  sfq_link net/sched/sch_sfq.c:203 [inline]
  sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
  sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
  sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
  qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
  tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
  qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
  dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
  netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
  dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

 The Linux kernel CVE team has assigned CVE-2025-37752 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.129 with commit 35d0137305ae2f97260a9047f445bd4434bd6cc7 and fixed in 6.1.135 with commit 1348214fa042a71406964097e743c87a42c85a49
 	Issue introduced in 6.6.76 with commit 833e9a1c27b82024db7ff5038a51651f48f05e5e and fixed in 6.6.88 with commit d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
 	Issue introduced in 6.12.13 with commit 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 and fixed in 6.12.24 with commit f86293adce0c201cfabb283ef9d6f21292089bb8
 	Issue introduced in 6.13.2 with commit 7fefc294204f10a3405f175f4ac2be16d63f135e and fixed in 6.13.12 with commit 5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
 	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.14.3 with commit b36a68192037d1614317a09b0d78c7814e2eecf9
 	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.15 with commit b3bf8f63e6179076b57c9de660c9f80b5abefe70

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37752
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/sch_sfq.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49
 	https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
 	https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8
 	https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
 	https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9
 	https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37752: net_sched: sch_sfq: move the limit validation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net_sched: sch_sfq: move the limit validation

	It is not sufficient to directly validate the limit on the data that
	the user passes as it can be updated based on how the other parameters
	are changed.

	Move the check at the end of the configuration update process to also
	catch scenarios where the limit is indirectly updated, for example
	with the following configurations:

	tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
	tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

	This fixes the following syzkaller reported crash:

	------------[ cut here ]------------
	UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
	index 65535 is out of range for type 'struct sfq_head[128]'
	CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
	ubsan_epilogue lib/ubsan.c:231 [inline]
	__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
	sfq_link net/sched/sch_sfq.c:203 [inline]
	sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
	sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
	sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
	qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
	tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
	qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
	dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
	netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
	dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

	The Linux kernel CVE team has assigned CVE-2025-37752 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.129 with commit 35d0137305ae2f97260a9047f445bd4434bd6cc7 and fixed in 6.1.135 with commit 1348214fa042a71406964097e743c87a42c85a49
	Issue introduced in 6.6.76 with commit 833e9a1c27b82024db7ff5038a51651f48f05e5e and fixed in 6.6.88 with commit d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
	Issue introduced in 6.12.13 with commit 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 and fixed in 6.12.24 with commit f86293adce0c201cfabb283ef9d6f21292089bb8
	Issue introduced in 6.13.2 with commit 7fefc294204f10a3405f175f4ac2be16d63f135e and fixed in 6.13.12 with commit 5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.14.3 with commit b36a68192037d1614317a09b0d78c7814e2eecf9
	Issue introduced in 6.14 with commit 10685681bafce6febb39770f3387621bf5d67d0b and fixed in 6.15 with commit b3bf8f63e6179076b57c9de660c9f80b5abefe70

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37752
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/sch_sfq.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49
	https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
	https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8
	https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
	https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9
	https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70