Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-21702

Description

In the Linux kernel, the following vulnerability has been resolved:pfifo_tail_enqueue: Drop new packet when sch->limit == 0Expected behaviour:In case we reach scheduler's limit, pfifo_tail_enqueue() will drop apacket in scheduler's queue and decrease scheduler's qlen by one.Then, pfifo_tail_enqueue() enqueue new packet and increasescheduler's qlen by one. Finally, pfifo_tail_enqueue() return`NET_XMIT_CN` status code.Weird behaviour:In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on ascheduler that has no packet, the 'drop a packet' step will do nothing.This means the scheduler's qlen still has value equal 0.Then, we continue to enqueue new packet and increase scheduler's qlen byone. In summary, we can leverage pfifo_tail_enqueue() to increase qlen byone and return `NET_XMIT_CN` status code.The problem is:Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.This violate the design where parent's qlen should equal to the sum of its childrens'qlen.Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.

POC

Reference

No PoCs from references.

Github

- https://github.com/ARPSyndicate/cve-scores

- https://github.com/runwhen-contrib/helm-charts

- https://github.com/w4zu/Debian_security