Critical Vulnerability Information Vulnerability Description: - The HFSC (Hierarchical Fair Service Curve) scheduler has a reentrancy issue when handling repeated additions of classes. - When used in combination with NETEM, specific configurations can bypass checks, leading to a Use-After-Free (UAF) vulnerability. Root Cause: - The fix only checks the field to determine if it's the first insertion, but this field is incremented only by . - Using the flag (which invokes ) allows bypassing the check and inserting the class twice into the . Impact: - Under normal conditions, this causes an infinite loop in . - If TBF is added as the root qdisc and configured with a very low rate, it can be exploited to prevent packet dequeuing, allowing subsequent insertion into the and triggering UAF. Mitigation: - Explicitly check in whether the class is already in the , especially when the flag is set. Related Links: - [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 - [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 - [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 - [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 - [5] https://lore.kernel.org/netdev/8DuRWWfqjoRDLdmBMLIfbrsZg9Gx50DHJclilxsEBNe2D6NMoiqR_eIRIG0LOjMc3r16nUUZtArXx4oZBIIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/