| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022607-CVE-2025-21781-7324@gregkh> Date: Wed, 26 Feb 2025 18:17:37 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21781: batman-adv: fix panic during interface removal Description =========== In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix panic during interface removal Reference counting is used to ensure that batadv_hardif_neigh_node and batadv_hard_iface are not freed before/during batadv_v_elp_throughput_metric_update work is finished. But there isn't a guarantee that the hard if will remain associated with a soft interface up until the work is finished. This fixes a crash triggered by reboot that looks like this: Call trace: batadv_v_mesh_free+0xd0/0x4dc [batman_adv] batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x178/0x398 worker_thread+0x2e8/0x4d0 kthread+0xd8/0xdc ret_from_fork+0x10/0x20 (the batadv_v_mesh_free call is misleading, and does not actually happen) I was able to make the issue happen more reliably by changing hardif_neigh->bat_v.metric_work work to be delayed work. This allowed me to track down and confirm the fix. [sven@...fation.org: prevent entering batadv_v_elp_get_throughput without soft_iface] The Linux kernel CVE team has assigned CVE-2025-21781 to this issue. Affected and fixed versions =========================== Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.1.129 with commit 7eb5dd201695645af071592a50026eb780081a72 Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.6.79 with commit 072b2787321903287a126c148e8db87dd7ef96fe Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.12.16 with commit 2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7 Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.13.4 with commit 522b1596ea19e327853804da2de60aeb9c5d6f42 Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.14-rc3 with commit ccb7276a6d26d6f8416e315b43b45e15ee7f29e2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21781 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/batman-adv/bat_v_elp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72 https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7 https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42 https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2
Powered by blists - more mailing lists