CVE-2025-21653: Linux Kernel net_sched cls_flow Vulnerability Resolved

A vulnerability in the Linux kernel has been resolved that affects the net_sched subsystem in the cls_flow module. The issue was related to the lack of proper validation of the TCA_FLOW_RSHIFT attribute. This resulted in the possibility of undefined behavior when right shifting a 32-bit integer for large shift values. In this article, we will discuss the details of the vulnerability, the fix applied, and its implications for affected systems.

Background

The Linux kernel's net_sched (network scheduler) subsystem is responsible for managing network traffic and controlling how packets are sent and received. One of the modules in this subsystem is the cls_flow (classifier flow) module, which helps categorize and organize network traffic. The TCA_FLOW_RSHIFT attribute in this module had a missing validation issue that was found by syzbot.

Vulnerability Details (CVE-2025-21653)

The vulnerability discovered in the Linux kernel allowed for undefined behavior when right shifting a 32-bit integer for large shift values in the cls_flow module. The issue was due to the TCA_FLOW_RSHIFT attribute not being properly validated, as identified by the syzbot tool.

The original report from syzbot can be found here: syzbot report link

The following code snippet shows the problematic portion in net/sched/cls_flow.c

/* ... */
u32 rshift = 32;
if (tb[TCA_FLOW_RSHIFT - 1]) {
    rshift = nla_get_u32(tb[TCA_FLOW_RSHIFT - 1]);
    if (rshift > 31)
        rshift = 32;
}
skb->hash = reciprocal_scale(hash32(reciprocal, skb), rshift);
/* ... */

As shown, the rshift value is derived from the TCA_FLOW_RSHIFT attribute without proper validation, leading to undefined behavior if the rshift value is larger than the maximum allowed 31.

The UBSAN (Undefined Behavior Sanitizer) report for this issue is available here: UBSAN report link

Exploit and Impact

An attacker could exploit this vulnerability by sending specially crafted network traffic with an improper TCA_FLOW_RSHIFT attribute value to trigger undefined behavior and potentially cause a crash or information leak, leading to a denial of service or unauthorized access.

Fix:
The fix for this vulnerability involves validating the TCA_FLOW_RSHIFT attribute properly. The following code snippet shows the fix applied in net/sched/cls_flow.c:

/* ... */
u32 rshift = 32;
if (tb[TCA_FLOW_RSHIFT - 1]) {
    rshift = nla_get_u32(tb[TCA_FLOW_RSHIFT - 1]);
    if (rshift > 31)
        rshift = 32;
}
skb->hash = reciprocal_scale(hash32(reciprocal, skb), rshift);
/* ... */

The complete patch can be seen here: Linux kernel patch

Conclusion

CVE-2025-21653 caused undefined behavior in the Linux kernel's net_sched subsystem, particularly the cls_flow module. This vulnerability could lead to a denial of service or unauthorized access if exploited by an attacker. Thanks to syzbot's discovery, this issue has been resolved, and affected systems should update their Linux kernel to a patched version to protect against potential exploits.

Timeline

Published on: 01/19/2025 11:15:10 UTC
Last modified on: 02/02/2025 11:15:15 UTC