| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022606-CVE-2025-21771-6032@gregkh>
Date: Wed, 26 Feb 2025 18:17:27 -0800
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-21771: sched_ext: Fix incorrect autogroup migration detection
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix incorrect autogroup migration detection
scx_move_task() is called from sched_move_task() and tells the BPF scheduler
that cgroup migration is being committed. sched_move_task() is used by both
cgroup and autogroup migrations and scx_move_task() tried to filter out
autogroup migrations by testing the destination cgroup and PF_EXITING but
this is not enough. In fact, without explicitly tagging the thread which is
doing the cgroup migration, there is no good way to tell apart
scx_move_task() invocations for racing migration to the root cgroup and an
autogroup migration.
This led to scx_move_task() incorrectly ignoring a migration from non-root
cgroup to an autogroup of the root cgroup triggering the following warning:
WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340
...
Call Trace:
<TASK>
cgroup_migrate_execute+0x5b1/0x700
cgroup_attach_task+0x296/0x400
__cgroup_procs_write+0x128/0x140
cgroup_procs_write+0x17/0x30
kernfs_fop_write_iter+0x141/0x1f0
vfs_write+0x31d/0x4a0
__x64_sys_write+0x72/0xf0
do_syscall_64+0x82/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix it by adding an argument to sched_move_task() that indicates whether the
moving is for a cgroup or autogroup migration. After the change,
scx_move_task() is called only for cgroup migrations and renamed to
scx_cgroup_move_task().
The Linux kernel CVE team has assigned CVE-2025-21771 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.12 with commit 8195136669661fdfe54e9a8923c33b31c92fc1da and fixed in 6.12.16 with commit 75bf2f80c046d2ec5a07455891ea0a9fb6d8b5f6
Issue introduced in 6.12 with commit 8195136669661fdfe54e9a8923c33b31c92fc1da and fixed in 6.13.4 with commit d8b510d0ddc65d8a71e0f9a3acc9ed5f010fc514
Issue introduced in 6.12 with commit 8195136669661fdfe54e9a8923c33b31c92fc1da and fixed in 6.14-rc3 with commit d6f3e7d564b2309e1f17e709a70eca78d7ca2bb8
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-21771
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/sched/autogroup.c
kernel/sched/core.c
kernel/sched/ext.c
kernel/sched/ext.h
kernel/sched/sched.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/75bf2f80c046d2ec5a07455891ea0a9fb6d8b5f6
https://git.kernel.org/stable/c/d8b510d0ddc65d8a71e0f9a3acc9ed5f010fc514
https://git.kernel.org/stable/c/d6f3e7d564b2309e1f17e709a70eca78d7ca2bb8
Powered by blists - more mailing lists