ACK: [SRU][J/N/O/P][PATCH v2 0/2] CVE-2025-37890

Emil Renner Berthing emil.renner.berthing at canonical.com
Fri Jun 13 10:10:09 UTC 2025 

Acked-by: Emil Renner Berthing <emil.renner.berthing at canonical.com>

Ian Whitfield wrote:
> [Impact]
>
> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
>
> As described in Gerrard's report [1], we have a UAF case when an hfsc class
> has a netem child qdisc. The crux of the issue is that hfsc is assuming
> that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
> the class in the vttree or eltree (which is not true for the netem
> duplicate case).
>
> This patch checks the n_active class variable to make sure that the code
> won't insert the class in the vttree or eltree twice, catering for the
> reentrant case.
>
> [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
>
> [Backport]
>
> The fix commit marked for this CVE, 141d34391abb ("net_sched: hfsc: Fix a UAF
> vulnerability in class with netem as child qdisc") cherry-picked cleanly. Two
> follow-up commits were added to further resolve UAF vulnerabilities in the same
> function. Jammy had already received the initial fix via stable updates, so this
> patchset adds just the two follow-ups for that kernel.
>
> [Fix]
>
> Plucky:   cherry picked fix and follow-ups
> Oracular: cherry picked fix and follow-ups
> Noble:    cherry picked fix and follow-ups
> Jammy:    cherry picked follow-ups
> Focal:    sent to ESM ML
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use a Hierarchical Fair Service Curve (HFSC) network
> scheduler queue discipline (qdisc) with a child Network Emulator (netem) qdisc.
> An issue with this fix would be visible to the user as a use-after-free which
> could read private information or crash the kernel.
>
> v2: Added follow-up commit ac9fe7dd8e73 ("net_sched: hfsc: Address reentrant
>  enqueue adding class to eltree twice") which conflicted with 3f981138109f
>  ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") which
>  resolved another UAF bug in the same function. The conflicting commit was also
>  pulled in so that all commits applied cleanly and this function is most up to
>  date with UAF vulnerability patches.
>
> Cong Wang (1):
>   sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
>
> Pedro Tammela (1):
>   net_sched: hfsc: Address reentrant enqueue adding class to eltree
>     twice
>
> Victor Nogueira (1):
>   net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
>     qdisc
>
>  net/sched/sch_hfsc.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list