{"id":64590,"date":"2025-06-06T18:32:19","date_gmt":"2025-06-06T15:02:19","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-38001-linux-kernel-netem-hfsc-double-insertion-uninitialized-use-after-free\/"},"modified":"2025-06-06T18:32:19","modified_gmt":"2025-06-06T15:02:19","slug":"cve-2025-38001-linux-kernel-netem-hfsc-double-insertion-uninitialized-use-after-free","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-38001-linux-kernel-netem-hfsc-double-insertion-uninitialized-use-after-free\/","title":{"rendered":"CVE-2025-38001 &#8211; Linux Kernel Netem HFSC Double Insertion Uninitialized Use After Free"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-38001<br \/>\n<br \/>\n<strong>Published : <\/strong> June 6, 2025, 2:15 p.m. | 29\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>net_sched: hfsc: Address reentrant enqueue adding class to eltree twice<\/p>\n<p>Savino says:<br \/>\n    &#8220;We are writing to report that this recent patch<br \/>\n    (141d34391abbb315d68556b7c67ad97885407547) [1]\n    can be bypassed, and a UAF can still occur when HFSC is utilized with<br \/>\n    NETEM.<\/p>\n<p>    The patch only checks the cl-&gt;cl_nactive field to determine whether<br \/>\n    it is the first insertion or not [2], but this field is only<br \/>\n    incremented by init_vf [3].<\/p>\n<p>    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the<br \/>\n    check and insert the class twice in the eltree.<br \/>\n    Under normal conditions, this would lead to an infinite loop in<br \/>\n    hfsc_dequeue for the reasons we already explained in this report [5].<\/p>\n<p>    However, if TBF is added as root qdisc and it is configured with a<br \/>\n    very low rate,<br \/>\n    it can be utilized to prevent packets from being dequeued.<br \/>\n    This behavior can be exploited to perform subsequent insertions in the<br \/>\n    HFSC eltree and cause a UAF.&#8221;<\/p>\n<p>To fix both the UAF and the infinite loop, with netem as an hfsc child,<br \/>\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree<br \/>\nwhenever the HFSC_RSC flag is set.<\/p>\n[1] https:\/\/web.git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=141d34391abbb315d68556b7c67ad97885407547<br \/>\n[2] https:\/\/elixir.bootlin.com\/linux\/v6.15-rc5\/source\/net\/sched\/sch_hfsc.c#L1572<br \/>\n[3] https:\/\/elixir.bootlin.com\/linux\/v6.15-rc5\/source\/net\/sched\/sch_hfsc.c#L677<br \/>\n[4] https:\/\/elixir.bootlin.com\/linux\/v6.15-rc5\/source\/net\/sched\/sch_hfsc.c#L1574<br \/>\n[5] https:\/\/lore.kernel.org\/netdev\/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io\/T\/#u<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-38001 Published : June 6, 2025, 2:15 p.m. | 29\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: &#8220;We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-64590","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/64590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=64590"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/64590\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=64590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=64590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=64590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}