Add kernelCTF CVE-2025-38177_mitigation

[hexfoureight]

No description provided.

[koczkatamas]

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9030a91235ae4845ec71902c3e0cecfc9ed1f2df) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

(This blocks the payout of the first half of the reward.)

Logs:

[    2.392382] drr_dequeue: qfq qdisc F002: is non-work-conserving?
[    2.394554] HFSC: drr qdisc F001: is non-work-conserving?
[    2.396466] HFSC: hfsc qdisc F000: is non-work-conserving?
[    2.398416] HFSC: hfsc qdisc 101: is non-work-conserving?
[    2.400396] HFSC: hfsc qdisc 100: is non-work-conserving?
[    2.402382] HFSC: hfsc qdisc 2: is non-work-conserving?
[    2.404488] HFSC: qfq qdisc F006: is non-work-conserving?
[    2.406433] list_del corruption, ffff88810037c558->next is NULL
[    2.408551] ------------[ cut here ]------------
[    2.410253] kernel BUG at lib/list_debug.c:52!
[    2.411880] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[    2.413930] CPU: 0 PID: 118 Comm: exp Not tainted 6.6.89+ #199
[    2.415968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.419225] RIP: 0010:__list_del_entry_valid_or_report+0x8b/0x100
[    2.421366] Code: 75 ff 48 8b 55 08 49 39 d5 75 71 5b b8 01 00 00 00 5d 41 5c 41 5d c3 cc cc cc cc 48 89 de 48 c7 c7 00 88 b2 83 e8 95 29 3f ff <0f> 0b 48 89 de 48 c7 c7 60 88 b2 83 e8 84 29 3f ff 0f 0b 48 89 ea
[    2.427689] RSP: 0018:ffff888104f6f158 EFLAGS: 00010246
[    2.429535] RAX: 0000000000000033 RBX: ffff88810037c558 RCX: 0000000000000000
[    2.432016] RDX: 0000000000000000 RSI: ffffffff812fbf44 RDI: ffffffff86aaa5c0
[    2.434486] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10209eddd2
[    2.436946] R10: ffff888104f6ee97 R11: 6c65645f7473696c R12: 0000000000000000
[    2.439394] R13: ffff88810037c560 R14: 00000000f0060000 R15: ffff8881050b0000
[    2.441904] FS:  000000002baf6380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.444680] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.446704] CR2: 00000000004c3118 CR3: 0000000104216002 CR4: 0000000000370ef0
[    2.449199] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.451692] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.454213] Call Trace:
[    2.455138]  <TASK>
[    2.455935]  qfq_qlen_notify+0x37/0xf0
[    2.457293]  qdisc_tree_reduce_backlog+0xdf/0x230
[    2.458950]  qfq_graft_class+0x12f/0x2b0
[    2.460349]  ? __pfx_qfq_graft_class+0x10/0x10
[    2.461959]  qdisc_graft+0x231/0xa90
[    2.463240]  ? __pfx_qdisc_graft+0x10/0x10
[    2.464710]  ? is_bpf_text_address+0x1e/0x30
[    2.466238]  ? kernel_text_address+0x11f/0x130
[    2.467822]  ? __kernel_text_address+0xe/0x30
[    2.469377]  tc_get_qdisc+0x31a/0x5a0
[    2.470703]  ? __pfx_tc_get_qdisc+0x10/0x10
[    2.472187]  ? mutex_lock+0x8e/0xe0
[    2.473448]  ? __pfx_mutex_lock+0x10/0x10
[    2.474889]  ? security_capable+0x2e/0x80
[    2.476314]  rtnetlink_rcv_msg+0x206/0x580
[    2.477790]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[    2.479429]  netlink_rcv_skb+0xe6/0x220
[    2.480813]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[    2.482466]  ? __pfx_netlink_rcv_skb+0x10/0x10
[    2.484062]  ? __pfx___netlink_lookup+0x10/0x10
[    2.485693]  netlink_unicast+0x392/0x4e0
[    2.487097]  ? __pfx_netlink_unicast+0x10/0x10
[    2.488686]  ? preempt_count_sub+0x14/0xc0
[    2.490152]  ? __virt_addr_valid+0x128/0x1a0
[    2.491688]  ? __check_object_size+0x269/0x400
[    2.493282]  netlink_sendmsg+0x3ce/0x6f0
[    2.494686]  ? __pfx_netlink_sendmsg+0x10/0x10
[    2.496262]  ? __pfx_ip_make_skb+0x10/0x10
[    2.497751]  sock_write_iter+0x2d0/0x2e0
[    2.499151]  ? __pfx_sock_write_iter+0x10/0x10
[    2.500797]  ? apparmor_file_permission+0xfe/0x180
[    2.502503]  ? __pfx_sock_write_iter+0x10/0x10
[    2.504090]  vfs_write+0x5da/0x6a0
[    2.505341]  ? __pfx_vfs_write+0x10/0x10
[    2.506738]  ? __fget_light+0x1b0/0x200
[    2.508098]  ksys_write+0x131/0x160
[    2.509372]  ? __pfx_ksys_write+0x10/0x10
[    2.510811]  ? check_stack_object+0x22/0x70
[    2.512297]  ? inet_send_prepare+0x2f/0x120
[    2.513778]  do_syscall_64+0x5e/0x90
[    2.515057]  ? __sys_sendto+0x2cb/0x380
[    2.516446]  ? __pfx___sys_sendto+0x10/0x10
[    2.517965]  ? __pfx_vfs_read+0x10/0x10
[    2.519358]  ? __fget_light+0x1b0/0x200
[    2.520751]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.522530]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.524230]  ? do_syscall_64+0x6a/0x90
[    2.525584]  ? ksys_write+0x131/0x160
[    2.526940]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.528669]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.530614]  ? do_syscall_64+0x6a/0x90
[    2.531997]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.533922]  ? clear_bhb_loop+0x45/0xa0
[    2.535381]  ? clear_bhb_loop+0x45/0xa0
[    2.536822]  ? clear_bhb_loop+0x45/0xa0
[    2.538222]  ? clear_bhb_loop+0x45/0xa0
[    2.539635]  ? clear_bhb_loop+0x45/0xa0
[    2.541056]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.542866] RIP: 0033:0x421580
[    2.544052] Code: 40 00 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d a1 b5 08 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[    2.550459] RSP: 002b:00007fffff9a8f88 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.553126] RAX: ffffffffffffffda RBX: 00007fffff9a9408 RCX: 0000000000421580
[    2.555649] RDX: 0000000000000024 RSI: 00000000004aba80 RDI: 0000000000000003
[    2.558193] RBP: 00007fffff9a8fe0 R08: 00000000004bd620 R09: 0000000000000010
[    2.560709] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffff9a93f8
[    2.563256] R13: 0000000000000001 R14: 00000000004a6830 R15: 0000000000000001
[    2.565771]  </TASK>
[    2.566619] Modules linked in:
[    2.567815] ---[ end trace 0000000000000000 ]---
[    2.569519] RIP: 0010:__list_del_entry_valid_or_report+0x8b/0x100
[    2.571734] Code: 75 ff 48 8b 55 08 49 39 d5 75 71 5b b8 01 00 00 00 5d 41 5c 41 5d c3 cc cc cc cc 48 89 de 48 c7 c7 00 88 b2 83 e8 95 29 3f ff <0f> 0b 48 89 de 48 c7 c7 60 88 b2 83 e8 84 29 3f ff 0f 0b 48 89 ea
[    2.578180] RSP: 0018:ffff888104f6f158 EFLAGS: 00010246
[    2.580066] RAX: 0000000000000033 RBX: ffff88810037c558 RCX: 0000000000000000
[    2.582660] RDX: 0000000000000000 RSI: ffffffff812fbf44 RDI: ffffffff86aaa5c0
[    2.585216] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10209eddd2
[    2.587793] R10: ffff888104f6ee97 R11: 6c65645f7473696c R12: 0000000000000000
[    2.590332] R13: ffff88810037c560 R14: 00000000f0060000 R15: ffff8881050b0000
[    2.592890] FS:  000000002baf6380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.595756] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.597832] CR2: 00000000004c3118 CR3: 0000000104216002 CR4: 0000000000370ef0
[    2.600390] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.602981] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.605531] Kernel panic - not syncing: Fatal exception in interrupt
[    2.608567] Kernel Offset: disabled

[hexfoureight]

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9030a91235ae4845ec71902c3e0cecfc9ed1f2df) with KASAN and run the exploit, it still crashes the kernel.

The crash is unrelated to the vulnerability, it's caused by patches being applied in a different order to 6.6 stable and upstream. Commit a43783119e01 (net_sched: qfq: Fix double list add in class with netem as child qdisc) was originally introduced a couple weeks after 36269156033f (sch_qfq: make qfq_qlen_notify() idempotent) and relies on it, but the patches were applied to 6.6 stable in the reverse order. The patch fixing the vulnerability happens to be between them on 6.6 stable, so the compiled kernel has a43783119e01 but not 36269156033f. The cl_is_active() function introduced by a43783119e01 assumes that the class's active list is initialized with INIT_LIST_HEAD(), which was not the case before 36269156033f, leading to a null dereference.

These commits are all part of 6.6.90, so compiling that kernel instead should fix the crash.

[koczkatamas]

Thank you for the detailed explanation. I could reproduce that the upstream commit (51eb3b6) indeed fixes the vuln.