From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEF0E2EE5FA for ; Fri, 25 Jul 2025 15:29:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753457362; cv=none; b=Dv6wdhYCwNScI5/zkYWz/2fVgCLedpLUjJ+YsO2g2r2oQ6QKSUUdJ+H87jRF9KzQJLR9Kk5RXcddLW70q/9ntLoMH2lXKiAxixNzOPOT/jfdHuAY31I09q2PulAeMWLIU1dtTZsMxqiKd1Tj02EvJoUozqm+tpgaXHekiPi/ve8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753457362; c=relaxed/simple; bh=skz/GllmfCjMe899Jauy9sUJ4fMdwD4PcPVcOpSvNSc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Vo+Hy/YMb9Eh0aBHaJOnjykYSyDWusVjOJ6fmuphtJhXBKefe/Llg5/5Bq0dHinAjVF1oWQ/Xytopae6C/WYLYDHfpDnSFgH7XP60slK30BWTpTnDotCnXX7cPHP8WxkLy/x7OxR94jjjrVXXD4FSh1ChQg/Dto0woTIq8u5UD8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=wuII5Wou; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="wuII5Wou" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6C1DC4CEE7; Fri, 25 Jul 2025 15:29:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1753457362; bh=skz/GllmfCjMe899Jauy9sUJ4fMdwD4PcPVcOpSvNSc=; h=From:To:Cc:Subject:Date:Reply-to:From; b=wuII5WouEwk65KXlH3COUgDmSQwlWt7cWNjQscGg3lzKRo0x9JIa6Im33vhZRfrOj Z2dX4vKhYRSMFx8M2Rd/1eYuLcFrq/blRZSNiy96JRRD90WNzyKpvmQ4efziQzV1x4 BJLmgntPl8Wuc1zZRpqLX/hRfrUQc9tIeqVk2sNU= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-38457: net/sched: Abort __tc_modify_qdisc if parent class does not exist Date: Fri, 25 Jul 2025 17:28:19 +0200 Message-ID: <2025072506-CVE-2025-38457-d302@gregkh> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4601; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=5542k/zu+JWtwI8LaDKWOVowMntWk/dUYOPCS1e5LAA=; b=owGbwMvMwCRo6H6F97bub03G02pJDBnNi9peP1pkaHWc3cduQ8Bm29xYtrOznodWdPHMyn3D/ Pj6xzV9HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARhSaGuQLqx7dfU1IpuaEU rD9Dwnj/nZ118xjmilVPdzD5vcLZ6X6NwnOxR/es3FpSAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ The Linux kernel CVE team has assigned CVE-2025-38457 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.4.296 with commit 923a276c74e25073ae391e930792ac86a9f77f1e Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.10.240 with commit 90436e72c9622c2f70389070088325a3232d339f Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 5.15.189 with commit 25452638f133ac19d75af3f928327d8016952c8e Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.1.146 with commit 23c165dde88eac405eebb59051ea1fe139a45803 Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.6.99 with commit 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.12.39 with commit 8ecd651ef24ab50123692a4e3e25db93cb11602a Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.15.7 with commit e28a383d6485c3bb51dc5953552f76c4dea33eea Issue introduced in 2.6.20 with commit 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 and fixed in 6.16-rc6 with commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38457 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sched/sch_api.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803 https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963