{"uuid": "531dc5e7-3d9a-4913-8658-b5328224f943", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21702", "type": "seen", "source": "https://t.me/cvedetector/18326", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21702 - Linux Kernel pfifo_head_drop Scheduler Qdisc Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-21702 \nPublished : Feb. 18, 2025, 3:15 p.m. | 29\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \npfifo_tail_enqueue: Drop new packet when sch->limit == 0  \n  \nExpected behaviour:  \nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a  \npacket in scheduler's queue and decrease scheduler's qlen by one.  \nThen, pfifo_tail_enqueue() enqueue new packet and increase  \nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return  \n`NET_XMIT_CN` status code.  \n  \nWeird behaviour:  \nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a  \nscheduler that has no packet, the 'drop a packet' step will do nothing.  \nThis means the scheduler's qlen still has value equal 0.  \nThen, we continue to enqueue new packet and increase scheduler's qlen by  \none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by  \none and return `NET_XMIT_CN` status code.  \n  \nThe problem is:  \nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.  \n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.  \n   Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.  \n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.  \n - Qdisc_B is configured to have `sch->limit == 0`.  \n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.  \n  \nEnqueue packet through Qdisc_A will lead to:  \n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)  \n - Qdisc_B->q.qlen += 1  \n - pfifo_tail_enqueue() return `NET_XMIT_CN`  \n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.  \n  \nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.  \nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.  \nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.  \n  \nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-18T16:48:54.000000Z"}