Critical Vulnerability Information Vulnerability Description: - The HFSC (Hierarchical Fair Service Curve) scheduler has a reentrancy issue when handling repeated addition of classes to the eltree. - When used in combination with NETEM, a specific bypass can circumvent checks, leading to a Use-After-Free (UAF) vulnerability. Specific Issue: - The patch only checks the field to determine if it's the first insertion, but this field is incremented only by . - Using the flag (which invokes ) allows bypassing the check and inserting the class twice into eltree. - Under normal conditions, this causes an infinite loop in . - If TBF is added as the root qdisc and configured with a very low rate, it can be exploited to prevent packet dequeuing, enabling subsequent insertions and triggering the UAF. Fix: - Explicitly check in whether the class is already in eltree, especially when the flag is set. Related Links: - [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 - [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 - [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 - [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 - [5] https://lore.kernel.org/netdev/8DuRWWfqjoRDLdmBMlIfbrsZg9Gx50DHJclilxsEBNe2D6NMoiqR_eIRIG0LOjMc3r16nUUZtArXx4oZBIIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ Reporters and Testers: - Reporters: Savino Dicanosa, William Liu, Jamal Hadi Salim - Tester: Victor Nogueira - Signer: Pedro Tammela