CVE-2025-21702
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21702
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21702.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-21702
- Related
- Published
- 2025-02-18T15:15:18Z
- Modified
- 2025-04-12T15:40:38.969127Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
pfifotailenqueue: Drop new packet when sch->limit == 0
Expected behaviour: In case we reach scheduler's limit, pfifotailenqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifotailenqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifotailenqueue() return
NET_XMIT_CNstatus code.Weird behaviour: In case we set
sch->limit == 0and trigger pfifotailenqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifotailenqueue() to increase qlen by one and returnNET_XMIT_CNstatus code.The problem is: Let's say we have two qdiscs: QdiscA and QdiscB. - QdiscA's type must have '->graft()' function to create parent/child relationship. Let's say QdiscA's type is
hfsc. Enqueue packet to this qdisc will triggerhfsc_enqueue. - QdiscB's type is pfifoheaddrop. Enqueue packet to this qdisc will triggerpfifo_tail_enqueue. - QdiscB is configured to havesch->limit == 0. - QdiscA is configured to route the enqueued's packet to QdiscB.Enqueue packet through QdiscA will lead to: - hfscenqueue(QdiscA) -> pfifotailenqueue(QdiscB) - QdiscB->q.qlen += 1 - pfifotailenqueue() return
NET_XMIT_CN- hfscenqueue() check forNET_XMIT_SUCCESSand seeNET_XMIT_CN=> hfscenqueue() don't increase qlen of QdiscA.The whole process lead to a situation where QdiscA->q.qlen == 0 and QdiscB->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen.
Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
- References
-
- https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9
- https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d
- https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e
- https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888
- https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980
- https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455
- https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b
- https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca
- https://security-tracker.debian.org/tracker/CVE-2025-21702
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.133-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.15-1