IM
IronMonkey Threat Research

CVE-2025-38350 HIGH

Published: 2025-07-19 | Last Modified: 2026-05-12 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Siempre pasar notificaciones cuando la clase hija se vacía. Ciertas qdisc con clase pueden invocar el controlador de desencolado de sus clases en una operación de encolado. Esto puede vaciar inesperadamente la qdisc hija y, por lo tanto, hacer que una clase en vuelo sea pasiva mediante qlen_notify(). La mayoría de las qdisc no esperan este comportamiento en este momento y pueden reactivar la clase eventualmente de todos modos, lo que conducirá a un use-after-free. El commit de corrección referenciada intentó corregir este comportamiento para el caso HFSC al mover la contabilidad del backlog, aunque esto resultó ser incompleto ya que el padre de la clase padre también podría encontrarse con el problema. El siguiente reproductor demuestra este use-after-free: socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Dado que los problemas de contabilidad de atrasos que provocan un use-after-frees en punteros de clase obsoletos son un patrón recurrente en este punto, este parche adopta un enfoque diferente. En lugar de intentar corregir la contabilidad, el parche garantiza que qdisc_tree_reduce_backlog siempre llame a qlen_notify cuando la qdisc secundaria esté vacía. Esto soluciona el problema porque la eliminación de qdiscs siempre implica una llamada a qdisc_reset() o qdisc_purge_queue(), que finalmente restablece su qlen a 0, lo que provoca que el siguiente qdisc_tree_reduce_backlog() informe a la clase principal. Tenga en cuenta que esto puede llamar a qlen_notify en clases pasivas varias veces. Esto no es un problema después de la serie de parches recientes que hicieron que todos los controladores qlen_notify() de las qdiscs con clase sean idempotentes.

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-416

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702b403280c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032a080> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd151140> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702c04787e40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b4032b140> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcbbf7680> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bde4f3fc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b40329540> Operating System
linux linux_kernel 6.15 <built-in method update of dict object at 0x702bcbbf4600> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702b4032b900> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702bcbbf47c0> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702b4032b640> Operating System
linux linux_kernel 6.16 <built-in method update of dict object at 0x702bdd150380> Operating System
debian debian_linux 11.0 <built-in method update of dict object at 0x702bcbbf7dc0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References

Notification
Message here