CVE-2025-38457
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Abort __tc_modify_qdisc if parent class does not exist
Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands:
sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq
Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null.
The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called.
[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 923a276c74e25073ae391e930792ac86a9f77f1e | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 90436e72c9622c2f70389070088325a3232d339f | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 25452638f133ac19d75af3f928327d8016952c8e | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 23c165dde88eac405eebb59051ea1fe139a45803 | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < 8ecd651ef24ab50123692a4e3e25db93cb11602a | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < e28a383d6485c3bb51dc5953552f76c4dea33eea | affected |
| Linux | Linux | 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 < ffdde7bf5a439aaa1955ebd581f5c64ab1533963 | affected |
| Linux | Linux | 2.6.20 | affected |
| Linux | Linux | 0 < 2.6.20 | unaffected |
| Linux | Linux | 5.4.296 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.240 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.189 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.146 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.99 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.39 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.7 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Additional References
References
- https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e
- https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f
- https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e
- https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803
- https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
- https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a
- https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea
- https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.