| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025021350-CVE-2025-21701-ce96@gregkh> Date: Thu, 13 Feb 2025 16:05:51 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21701: net: avoid race between device unregistration and ethnl ops Description =========== In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found. The Linux kernel CVE team has assigned CVE-2025-21701 to this issue. Affected and fixed versions =========================== Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.6.76 with commit 2f29127e94ae9fdc7497331003d6860e9551cdf3 Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.12.13 with commit b382ab9b885cbb665e0e70a727f101c981b4edf3 Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.13.2 with commit 4dc880245f9b529fa8f476b5553c799d2848b47b Issue introduced in 5.16 with commit dde91ccfa25fd58f64c397d91b81a4b393100ffa and fixed in 6.14-rc1 with commit 12e070eb6964b341b41677fd260af5a305316a1f Issue introduced in 5.10.87 with commit 7c26da3be1e9843a15b5318f90db8a564479d2ac Issue introduced in 5.15.8 with commit cfd719f04267108f5f5bf802b9d7de69e99a99f9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21701 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ethtool/netlink.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2f29127e94ae9fdc7497331003d6860e9551cdf3 https://git.kernel.org/stable/c/b382ab9b885cbb665e0e70a727f101c981b4edf3 https://git.kernel.org/stable/c/4dc880245f9b529fa8f476b5553c799d2848b47b https://git.kernel.org/stable/c/12e070eb6964b341b41677fd260af5a305316a1f
Powered by blists - more mailing lists