Bug 2376074 (CVE-2025-38115) - CVE-2025-38115 kernel: net_sched: sch_sfq: fix a potential crash on gso_skb handling
Summary: CVE-2025-38115 kernel: net_sched: sch_sfq: fix a potential crash on gso_skb h...
Keywords:
Status: NEW
Alias: CVE-2025-38115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-03 09:03 UTC by OSIDB Bzimport
Modified: 2025-07-03 16:53 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-03 09:03:46 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net_sched: sch_sfq: fix a potential crash on gso_skb handling

SFQ has an assumption of always being able to queue at least one packet.

However, after the blamed commit, sch->q.len can be inflated by packets
in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed
by an immediate drop.

Fix sfq_drop() to properly clear q->tail in this situation.


ip netns add lb
ip link add dev to-lb type veth peer name in-lb netns lb
ethtool -K to-lb tso off                 # force qdisc to requeue gso_skb
ip netns exec lb ethtool -K in-lb gro on # enable NAPI
ip link set dev to-lb up
ip -netns lb link set dev in-lb up
ip addr add dev to-lb 192.168.20.1/24
ip -netns lb addr add dev in-lb 192.168.20.2/24
tc qdisc replace dev to-lb root sfq limit 100

ip netns exec lb netserver

netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
Comment 1 Avinash Hanwate 2025-07-03 16:45:10 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38115-cce2@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.