A newly discovered vulnerability (CVE-2025-21647) in the Linux kernel's sch_cake scheduler has recently been patched. In this post, we will delve into the details of the vulnerability, its potential impact, and the fix that has been implemented to address it, focusing on the critical changes made to safeguard against out-of-bounds memory accesses.
Background
The sch_cake scheduler is designed for use with the Linux kernel's traffic control subsystem, providing highly-configurable bandwidth shaping, prioritization, and fairness. The vulnerability that we will be discussing arose from a logic error in its implementation, which had the potential to lead to harmful out-of-bounds memory access.
Original Vulnerability
The original vulnerability in the scheduler came to light through a syzbot report, a continuous fuzzing infrastructure that tests the Linux kernel for bugs. The vulnerability had potentially dangerous implications, with a risk of the per-host bulk flow counters underflowing and causing an out-of-bounds memory access.
The Fix
The fix introduced for this vulnerability involves refactoring the access to the per-host bulk flow counters and using helper functions to implement bounds-checking before increments and decrements take place. These bounds checks aid in preventing underflows and out of bounds memory accesses, thus improving the overall reliability and security of the code.
Here's a key snippet of the patch that showcases an example of this refactoring
static void bulk_flow_inc(struct cake_sched_data *q, u32 host_id, u32 bulk)
{
if (bulk < BULK_FLOW_COUNT) {
q->u32_hostbulkflows[host_id][HOST_BULK_TOTAL] +=
q->u32_hostbulkflows[host_id][HOST_BULK_ADD];
q->u32_hostbulkflows[host_id][HOST_BULK_INC] +=
q->u32_hostbulkflows[host_id][HOST_BULK_ADD];
q->u32_hostbulkflows[host_id][HOST_BULK_ADD] = ;
}
}
This code snippet highlights the introduction of a helper function named bulk_flow_inc, which enforces bounds checks on bulk before allowing any increments or decrements.
Additional Changes
Aside from addressing the vulnerability at hand, this patch also brings about other improvements in code readability. By centralizing the checks for flow mode in these helper functions, the developers have eliminated the need to have these checks scattered throughout the codebase, making it easier to maintain and understand.
Moreover, the flow quantum calculation is now unified into a helper function, as seen in the following snippet:
static unsigned int cake_flow_quantum(unsigned int rate, unsigned int mtu)
{
return max_t(unsigned int, 1, min_t(unsigned int,
(rate * 10 + 5999) / 600, (mtu * 10 + 3399) / 340));
}
As a result of this change, the dithering applied to the host load scaling is consistently applied during both the DRR (Deficit Round Robin) rotation and when a sparse flow's quantum is first initiated. This does not introduce significant differences in the workings of the scheduler, but it does simplify the code.
Original References
1. Mailing list post with the patch
2. syzbot report
3. Linux kernel's traffic control subsystem
Conclusion
In this blog post, we covered the vulnerability CVE-2025-21647 found in the Linux kernel's sch_cake scheduler and discussed the patch that addresses this issue. The developers have done an excellent job of not only fixing the original problem but also introducing improvements in code readability and maintainability. As a result, the Linux kernel scheduler can now be considered stronger and more secure than before.
Timeline
Published on: 01/19/2025 11:15:10 UTC
Last modified on: 03/13/2025 13:15:47 UTC