CVE-2025-38350

{"id": "CVE-2025-38350", "cveTags": [], "metrics": {}, "published": "2025-07-19T07:15:22.043", "references": [{"url": "https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes' dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent's parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n tc qdisc add dev lo root handle 1: drr\n tc filter add dev lo parent 1: basic classid 1:1\n tc class add dev lo parent 1: classid 1:1 drr\n tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n tc qdisc add dev lo parent 2:1 handle 3: netem\n tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n tc class delete dev lo classid 1:1\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Siempre pasar notificaciones cuando la clase hija se vac\u00eda. Ciertas qdisc con clase pueden invocar el controlador de desencolado de sus clases en una operaci\u00f3n de encolado. Esto puede vaciar inesperadamente la qdisc hija y, por lo tanto, hacer que una clase en vuelo sea pasiva mediante qlen_notify(). La mayor\u00eda de las qdisc no esperan este comportamiento en este momento y pueden reactivar la clase eventualmente de todos modos, lo que conducir\u00e1 a un use-after-free. El commit de correcci\u00f3n referenciada intent\u00f3 corregir este comportamiento para el caso HFSC al mover la contabilidad del backlog, aunque esto result\u00f3 ser incompleto ya que el padre de la clase padre tambi\u00e9n podr\u00eda encontrarse con el problema. El siguiente reproductor demuestra este use-after-free: socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Dado que los problemas de contabilidad de atrasos que provocan un use-after-frees en punteros de clase obsoletos son un patr\u00f3n recurrente en este punto, este parche adopta un enfoque diferente. En lugar de intentar corregir la contabilidad, el parche garantiza que qdisc_tree_reduce_backlog siempre llame a qlen_notify cuando la qdisc secundaria est\u00e9 vac\u00eda. Esto soluciona el problema porque la eliminaci\u00f3n de qdiscs siempre implica una llamada a qdisc_reset() o qdisc_purge_queue(), que finalmente restablece su qlen a 0, lo que provoca que el siguiente qdisc_tree_reduce_backlog() informe a la clase principal. Tenga en cuenta que esto puede llamar a qlen_notify en clases pasivas varias veces. Esto no es un problema despu\u00e9s de la serie de parches recientes que hicieron que todos los controladores qlen_notify() de las qdiscs con clase sean idempotentes."}], "lastModified": "2025-07-22T13:06:07.260", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}