Bug 2376414 (CVE-2025-38193) - CVE-2025-38193 kernel: net_sched: sch_sfq: reject invalid perturb period
Summary: CVE-2025-38193 kernel: net_sched: sch_sfq: reject invalid perturb period
Keywords:
Status: NEW
Alias: CVE-2025-38193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-04 14:04 UTC by OSIDB Bzimport
Modified: 2025-07-11 19:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-04 14:04:50 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net_sched: sch_sfq: reject invalid perturb period

Gerrard Tai reported that SFQ perturb_period has no range check yet,
and this can be used to trigger a race condition fixed in a separate patch.

We want to make sure ctl->perturb_period * HZ will not overflow
and is positive.


tc qd add dev lo root sfq perturb -10   # negative value : error
Error: sch_sfq: invalid perturb period.

tc qd add dev lo root sfq perturb 1000000000 # too big : error
Error: sch_sfq: invalid perturb period.

tc qd add dev lo root sfq perturb 2000000 # acceptable value
tc -s -d qd sh dev lo
qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
Comment 1 Mauro Matteo Cascella 2025-07-04 19:26:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025070415-CVE-2025-38193-0fb1@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.