Skip to content

Add kernelCTF CVE-2025-38177_mitigation #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hexfoureight wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add kernelCTF CVE-2025-38177_mitigation #317

hexfoureight wants to merge 6 commits into from

Conversation

@hexfoureight
Copy link
Contributor

@hexfoureight hexfoureight commented Dec 31, 2025

No description provided.

@koczkatamas
Copy link
Collaborator

koczkatamas commented Jan 16, 2026

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9030a91235ae4845ec71902c3e0cecfc9ed1f2df) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

(This blocks the payout of the first half of the reward.)

Logs:

[    2.392382] drr_dequeue: qfq qdisc F002: is non-work-conserving?
[    2.394554] HFSC: drr qdisc F001: is non-work-conserving?
[    2.396466] HFSC: hfsc qdisc F000: is non-work-conserving?
[    2.398416] HFSC: hfsc qdisc 101: is non-work-conserving?
[    2.400396] HFSC: hfsc qdisc 100: is non-work-conserving?
[    2.402382] HFSC: hfsc qdisc 2: is non-work-conserving?
[    2.404488] HFSC: qfq qdisc F006: is non-work-conserving?
[    2.406433] list_del corruption, ffff88810037c558->next is NULL
[    2.408551] ------------[ cut here ]------------
[    2.410253] kernel BUG at lib/list_debug.c:52!
[    2.411880] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[    2.413930] CPU: 0 PID: 118 Comm: exp Not tainted 6.6.89+ #199
[    2.415968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.419225] RIP: 0010:__list_del_entry_valid_or_report+0x8b/0x100
[    2.421366] Code: 75 ff 48 8b 55 08 49 39 d5 75 71 5b b8 01 00 00 00 5d 41 5c 41 5d c3 cc cc cc cc 48 89 de 48 c7 c7 00 88 b2 83 e8 95 29 3f ff <0f> 0b 48 89 de 48 c7 c7 60 88 b2 83 e8 84 29 3f ff 0f 0b 48 89 ea
[    2.427689] RSP: 0018:ffff888104f6f158 EFLAGS: 00010246
[    2.429535] RAX: 0000000000000033 RBX: ffff88810037c558 RCX: 0000000000000000
[    2.432016] RDX: 0000000000000000 RSI: ffffffff812fbf44 RDI: ffffffff86aaa5c0
[    2.434486] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10209eddd2
[    2.436946] R10: ffff888104f6ee97 R11: 6c65645f7473696c R12: 0000000000000000
[    2.439394] R13: ffff88810037c560 R14: 00000000f0060000 R15: ffff8881050b0000
[    2.441904] FS:  000000002baf6380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.444680] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.446704] CR2: 00000000004c3118 CR3: 0000000104216002 CR4: 0000000000370ef0
[    2.449199] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.451692] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.454213] Call Trace:
[    2.455138]  <TASK>
[    2.455935]  qfq_qlen_notify+0x37/0xf0
[    2.457293]  qdisc_tree_reduce_backlog+0xdf/0x230
[    2.458950]  qfq_graft_class+0x12f/0x2b0
[    2.460349]  ? __pfx_qfq_graft_class+0x10/0x10
[    2.461959]  qdisc_graft+0x231/0xa90
[    2.463240]  ? __pfx_qdisc_graft+0x10/0x10
[    2.464710]  ? is_bpf_text_address+0x1e/0x30
[    2.466238]  ? kernel_text_address+0x11f/0x130
[    2.467822]  ? __kernel_text_address+0xe/0x30
[    2.469377]  tc_get_qdisc+0x31a/0x5a0
[    2.470703]  ? __pfx_tc_get_qdisc+0x10/0x10
[    2.472187]  ? mutex_lock+0x8e/0xe0
[    2.473448]  ? __pfx_mutex_lock+0x10/0x10
[    2.474889]  ? security_capable+0x2e/0x80
[    2.476314]  rtnetlink_rcv_msg+0x206/0x580
[    2.477790]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[    2.479429]  netlink_rcv_skb+0xe6/0x220
[    2.480813]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[    2.482466]  ? __pfx_netlink_rcv_skb+0x10/0x10
[    2.484062]  ? __pfx___netlink_lookup+0x10/0x10
[    2.485693]  netlink_unicast+0x392/0x4e0
[    2.487097]  ? __pfx_netlink_unicast+0x10/0x10
[    2.488686]  ? preempt_count_sub+0x14/0xc0
[    2.490152]  ? __virt_addr_valid+0x128/0x1a0
[    2.491688]  ? __check_object_size+0x269/0x400
[    2.493282]  netlink_sendmsg+0x3ce/0x6f0
[    2.494686]  ? __pfx_netlink_sendmsg+0x10/0x10
[    2.496262]  ? __pfx_ip_make_skb+0x10/0x10
[    2.497751]  sock_write_iter+0x2d0/0x2e0
[    2.499151]  ? __pfx_sock_write_iter+0x10/0x10
[    2.500797]  ? apparmor_file_permission+0xfe/0x180
[    2.502503]  ? __pfx_sock_write_iter+0x10/0x10
[    2.504090]  vfs_write+0x5da/0x6a0
[    2.505341]  ? __pfx_vfs_write+0x10/0x10
[    2.506738]  ? __fget_light+0x1b0/0x200
[    2.508098]  ksys_write+0x131/0x160
[    2.509372]  ? __pfx_ksys_write+0x10/0x10
[    2.510811]  ? check_stack_object+0x22/0x70
[    2.512297]  ? inet_send_prepare+0x2f/0x120
[    2.513778]  do_syscall_64+0x5e/0x90
[    2.515057]  ? __sys_sendto+0x2cb/0x380
[    2.516446]  ? __pfx___sys_sendto+0x10/0x10
[    2.517965]  ? __pfx_vfs_read+0x10/0x10
[    2.519358]  ? __fget_light+0x1b0/0x200
[    2.520751]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.522530]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.524230]  ? do_syscall_64+0x6a/0x90
[    2.525584]  ? ksys_write+0x131/0x160
[    2.526940]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.528669]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.530614]  ? do_syscall_64+0x6a/0x90
[    2.531997]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.533922]  ? clear_bhb_loop+0x45/0xa0
[    2.535381]  ? clear_bhb_loop+0x45/0xa0
[    2.536822]  ? clear_bhb_loop+0x45/0xa0
[    2.538222]  ? clear_bhb_loop+0x45/0xa0
[    2.539635]  ? clear_bhb_loop+0x45/0xa0
[    2.541056]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.542866] RIP: 0033:0x421580
[    2.544052] Code: 40 00 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d a1 b5 08 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[    2.550459] RSP: 002b:00007fffff9a8f88 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.553126] RAX: ffffffffffffffda RBX: 00007fffff9a9408 RCX: 0000000000421580
[    2.555649] RDX: 0000000000000024 RSI: 00000000004aba80 RDI: 0000000000000003
[    2.558193] RBP: 00007fffff9a8fe0 R08: 00000000004bd620 R09: 0000000000000010
[    2.560709] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffff9a93f8
[    2.563256] R13: 0000000000000001 R14: 00000000004a6830 R15: 0000000000000001
[    2.565771]  </TASK>
[    2.566619] Modules linked in:
[    2.567815] ---[ end trace 0000000000000000 ]---
[    2.569519] RIP: 0010:__list_del_entry_valid_or_report+0x8b/0x100
[    2.571734] Code: 75 ff 48 8b 55 08 49 39 d5 75 71 5b b8 01 00 00 00 5d 41 5c 41 5d c3 cc cc cc cc 48 89 de 48 c7 c7 00 88 b2 83 e8 95 29 3f ff <0f> 0b 48 89 de 48 c7 c7 60 88 b2 83 e8 84 29 3f ff 0f 0b 48 89 ea
[    2.578180] RSP: 0018:ffff888104f6f158 EFLAGS: 00010246
[    2.580066] RAX: 0000000000000033 RBX: ffff88810037c558 RCX: 0000000000000000
[    2.582660] RDX: 0000000000000000 RSI: ffffffff812fbf44 RDI: ffffffff86aaa5c0
[    2.585216] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10209eddd2
[    2.587793] R10: ffff888104f6ee97 R11: 6c65645f7473696c R12: 0000000000000000
[    2.590332] R13: ffff88810037c560 R14: 00000000f0060000 R15: ffff8881050b0000
[    2.592890] FS:  000000002baf6380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.595756] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.597832] CR2: 00000000004c3118 CR3: 0000000104216002 CR4: 0000000000370ef0
[    2.600390] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.602981] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.605531] Kernel panic - not syncing: Fatal exception in interrupt
[    2.608567] Kernel Offset: disabled

@hexfoureight
Copy link
Contributor Author

hexfoureight commented Jan 17, 2026

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9030a91235ae4845ec71902c3e0cecfc9ed1f2df) with KASAN and run the exploit, it still crashes the kernel.

The crash is unrelated to the vulnerability, it's caused by patches being applied in a different order to 6.6 stable and upstream. Commit a43783119e01 (net_sched: qfq: Fix double list add in class with netem as child qdisc) was originally introduced a couple weeks after 36269156033f (sch_qfq: make qfq_qlen_notify() idempotent) and relies on it, but the patches were applied to 6.6 stable in the reverse order. The patch fixing the vulnerability happens to be between them on 6.6 stable, so the compiled kernel has a43783119e01 but not 36269156033f. The cl_is_active() function introduced by a43783119e01 assumes that the class's active list is initialized with INIT_LIST_HEAD(), which was not the case before 36269156033f, leading to a null dereference.

These commits are all part of 6.6.90, so compiling that kernel instead should fix the crash.

@koczkatamas koczkatamas added the kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) label Jan 19, 2026
@koczkatamas
Copy link
Collaborator

koczkatamas commented Jan 19, 2026

Thank you for the detailed explanation. I could reproduce that the upstream commit (51eb3b6) indeed fixes the vuln.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hexfoureight @koczkatamas