cve/published/2025/CVE-2025-38000.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

 When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
 child qdisc's peek() operation before incrementing sch->q.qlen and
 sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
 trigger an immediate dequeue and potential packet drop. In such cases,
 qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
 have not yet been updated, leading to inconsistent queue accounting. This
 can leave an empty HFSC class in the active list, causing further
 consequences like use-after-free.

 This patch fixes the bug by moving the increment of sch->q.qlen and
 sch->qstats.backlog before the call to the child qdisc's peek() operation.
 This ensures that queue length and backlog are always accurate when packet
 drops or dequeues are triggered during the peek.

 The Linux kernel CVE team has assigned CVE-2025-38000 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.4.294 with commit 1034e3310752e8675e313f7271b348914008719a
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.10.238 with commit f9f593e34d2fb67644372c8f7b033bdc622ad228
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.15.185 with commit 89c301e929a0db14ebd94b4d97764ce1d6981653
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.1.141 with commit f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.6.93 with commit 93c276942e75de0e5bc91576300d292e968f5a02
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.12.31 with commit 49b21795b8e5654a7df3d910a12e1060da4c04cf
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.14.9 with commit 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335
 	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.15 with commit 3f981138109f63232a5fb7165938d4c945cc1b9d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-38000
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/sch_hfsc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a
 	https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228
 	https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653
 	https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4
 	https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02
 	https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf
 	https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335
 	https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

	When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
	child qdisc's peek() operation before incrementing sch->q.qlen and
	sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
	trigger an immediate dequeue and potential packet drop. In such cases,
	qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
	have not yet been updated, leading to inconsistent queue accounting. This
	can leave an empty HFSC class in the active list, causing further
	consequences like use-after-free.

	This patch fixes the bug by moving the increment of sch->q.qlen and
	sch->qstats.backlog before the call to the child qdisc's peek() operation.
	This ensures that queue length and backlog are always accurate when packet
	drops or dequeues are triggered during the peek.

	The Linux kernel CVE team has assigned CVE-2025-38000 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.4.294 with commit 1034e3310752e8675e313f7271b348914008719a
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.10.238 with commit f9f593e34d2fb67644372c8f7b033bdc622ad228
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 5.15.185 with commit 89c301e929a0db14ebd94b4d97764ce1d6981653
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.1.141 with commit f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.6.93 with commit 93c276942e75de0e5bc91576300d292e968f5a02
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.12.31 with commit 49b21795b8e5654a7df3d910a12e1060da4c04cf
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.14.9 with commit 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335
	Issue introduced in 4.8 with commit 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 and fixed in 6.15 with commit 3f981138109f63232a5fb7165938d4c945cc1b9d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38000
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/sch_hfsc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a
	https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228
	https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653
	https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4
	https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02
	https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf
	https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335
	https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d