CVE-2025-38468
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
- htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc
- netem_dequeue calls enqueue on the child qdisc
- blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS
- Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
- As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL
- Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON();
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 5c0506cd1b1a3b145bda2612bbf7fe78d186c355 | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 850226aef8d28a00cf966ef26d2f8f2bff344535 | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 890a5d423ef0a7bd13447ceaffad21189f557301 | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 7ff2d83ecf2619060f30ecf9fad4f2a700fca344 | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < e5c480dc62a3025b8428d4818e722da30ad6804f | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 3691f84269a23f7edd263e9b6edbc27b7ae332f4 | affected |
| Linux | Linux | 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 < 0e1d5d9b5c5966e2e42e298670808590db5ed628 | affected |
| Linux | Linux | 2.6.29 | affected |
| Linux | Linux | 0 < 2.6.29 | unaffected |
| Linux | Linux | 5.4.297 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.241 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.190 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.147 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.100 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.40 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.8 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
Additional References
References
- https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d
- https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355
- https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535
- https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301
- https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344
- https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f
- https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4
- https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.