ACK: [SRU][J/N/O/P][PATCH 0/1] CVE-2025-37890

Stefan Bader stefan.bader at canonical.com
Tue Jun 3 14:13:21 UTC 2025 

On 29.05.25 01:14, Ian Whitfield wrote:
> [Impact]
> 
> net_sched: hfsc: Fix a UAF vulnerability in class
> 
> As described in Gerrard's report [1], we have a UAF case when an hfsc class
> has a netem child qdisc. The crux of the issue is that hfsc is assuming
> that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
> the class in the vttree or eltree (which is not true for the netem
> duplicate case).
> 
> This patch checks the n_active class variable to make sure that the code
> won't insert the class in the vttree or eltree twice, catering for the
> reentrant case.
> 
> [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
> 
> [Backport]
> 
> The patch applied cleanly.
> 
> [Fix]
> 
> Plucky:   cherry pick
> Oracular: cherry pick
> Noble:    cherry pick
> Jammy:    cherry pick
> Focal:    sent to ESM ML
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
> scheduler queue discipline (qdisc) with a child Network Emulator (netem) qdisc.
> An issue with this fix would be visible to the user as a use-after-free which
> could read private information or crash the kernel.
> 
> Victor Nogueira (1):
>    net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
>      qdisc
> 
>   net/sched/sch_hfsc.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250603/2bac07be/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250603/2bac07be/attachment-0001.sig>

More information about the kernel-team mailing list