CVE-2025-38468
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/07/2025
Última modificación:
28/07/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree<br />
<br />
htb_lookup_leaf has a BUG_ON that can trigger with the following:<br />
<br />
tc qdisc del dev lo root<br />
tc qdisc add dev lo root handle 1: htb default 1<br />
tc class add dev lo parent 1: classid 1:1 htb rate 64bit<br />
tc qdisc add dev lo parent 1:1 handle 2: netem<br />
tc qdisc add dev lo parent 2:1 handle 3: blackhole<br />
ping -I lo -c1 -W0.001 127.0.0.1<br />
<br />
The root cause is the following:<br />
<br />
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on<br />
the selected leaf qdisc<br />
2. netem_dequeue calls enqueue on the child qdisc<br />
3. blackhole_enqueue drops the packet and returns a value that is not<br />
just NET_XMIT_SUCCESS<br />
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and<br />
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -><br />
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase<br />
5. As this is the only class in the selected hprio rbtree,<br />
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to<br />
NULL<br />
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,<br />
which causes htb_dequeue_tree to call htb_lookup_leaf with the same<br />
hprio rbtree, and fail the BUG_ON<br />
<br />
The function graph for this scenario is shown here:<br />
0) | htb_enqueue() {<br />
0) + 13.635 us | netem_enqueue();<br />
0) 4.719 us | htb_activate_prios();<br />
0) # 2249.199 us | }<br />
0) | htb_dequeue() {<br />
0) 2.355 us | htb_lookup_leaf();<br />
0) | netem_dequeue() {<br />
0) + 11.061 us | blackhole_enqueue();<br />
0) | qdisc_tree_reduce_backlog() {<br />
0) | qdisc_lookup_rcu() {<br />
0) 1.873 us | qdisc_match_from_root();<br />
0) 6.292 us | }<br />
0) 1.894 us | htb_search();<br />
0) | htb_qlen_notify() {<br />
0) 2.655 us | htb_deactivate_prios();<br />
0) 6.933 us | }<br />
0) + 25.227 us | }<br />
0) 1.983 us | blackhole_dequeue();<br />
0) + 86.553 us | }<br />
0) # 2932.761 us | qdisc_warn_nonwc();<br />
0) | htb_lookup_leaf() {<br />
0) | BUG_ON();<br />
------------------------------------------<br />
<br />
The full original bug report can be seen here [1].<br />
<br />
We can fix this just by returning NULL instead of the BUG_ON,<br />
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns<br />
NULL.<br />
<br />
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628
- https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4
- https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344
- https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301
- https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f