lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025032714-CVE-2025-21887-48e8@gregkh>
Date: Thu, 27 Mar 2025 15:58:21 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

The issue was caused by dput(upper) being called before
ovl_dentry_update_reval(), while upper->d_flags was still
accessed in ovl_dentry_remote().

Move dput(upper) after its last use to prevent use-after-free.

BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
 ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
 ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
 ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
 vfs_rename+0xf84/0x20a0 fs/namei.c:4893
...
 </TASK>

The Linux kernel CVE team has assigned CVE-2025-21887 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.15.121 with commit 62f29ca45f832e281fc14966ac25f6ff3bd121ca and fixed in 5.15.179 with commit 4b49d939b5a79117f939b77cc67efae2694d9799
	Issue introduced in 6.1.39 with commit e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 and fixed in 6.1.130 with commit a7c41830ffcd17b2177a95a9b99b270302090c35
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.6.81 with commit 64455c8051c3aedc71abb7ec8d47c80301f99f00
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.12.18 with commit 3594aad97e7be2557ca9fa9c931b206b604028c8
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.13.6 with commit 60b4b5c1277fc491da9e1e7abab307bfa39c2db7
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.14 with commit c84e125fff2615b4d9c259e762596134eddd2f27
	Issue introduced in 5.10.188 with commit 714ba10a6dd19752a349e59aa875f3288ccb59b9
	Issue introduced in 6.3.13 with commit 33ab4dd6202f359558a0a2678b94d1b9994c17e5
	Issue introduced in 6.4.4 with commit 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21887
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/overlayfs/copy_up.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799
	https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35
	https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00
	https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8
	https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7
	https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ