Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net_sched: hfsc: Address reentrant enqueue adding class to eltree twice[EOL][EOL]Savino says:[EOL]    "We are writing to report that this recent patch[EOL]    (141d34391abbb315d68556b7c67ad97885407547) [1][EOL]    can be bypassed, and a UAF can still occur when HFSC is utilized with[EOL]    NETEM.[EOL][EOL]    The patch only checks the cl->cl_nactive field to determine whether[EOL]    it is the first insertion or not [2], but this field is only[EOL]    incremented by init_vf [3].[EOL][EOL]    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the[EOL]    check and insert the class twice in the eltree.[EOL]    Under normal conditions, this would lead to an infinite loop in[EOL]    hfsc_dequeue for the reasons we already explained in this report [5].[EOL][EOL]    However, if TBF is added as root qdisc and it is configured with a[EOL]    very low rate,[EOL]    it can be utilized to prevent packets from being dequeued.[EOL]    This behavior can be exploited to perform subsequent insertions in the[EOL]    HFSC eltree and cause a UAF."[EOL][EOL]To fix both the UAF and the infinite loop, with netem as an hfsc child,[EOL]check explicitly in hfsc_enqueue whether the class is already in the eltree[EOL]whenever the HFSC_RSC flag is set.[EOL][EOL][1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547[EOL][2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572[EOL][3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677[EOL][4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574[EOL][5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

CREATE(Triage):(User=lchen-cn) [CVE-2025-38001 (https://nvd.nist.gov/vuln/detail/CVE-2025-38001)