| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025040130-CVE-2025-21915-b56c@gregkh> Date: Tue, 1 Apr 2025 16:39:39 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21915: cdx: Fix possible UAF error in driver_override_show() Description =========== In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. The Linux kernel CVE team has assigned CVE-2025-21915 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10 with commit 1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d and fixed in 6.6.83 with commit d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf Issue introduced in 5.10 with commit 1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d and fixed in 6.12.19 with commit 8473135f89c0949436a22adb05b8cece2fb3da91 Issue introduced in 5.10 with commit 1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d and fixed in 6.13.7 with commit 0439d541aa8d3444ad41c39e39eb71acb57acde3 Issue introduced in 5.10 with commit 1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d and fixed in 6.14 with commit 91d44c1afc61a2fec37a9c7a3485368309391e0b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21915 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/cdx/cdx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf https://git.kernel.org/stable/c/8473135f89c0949436a22adb05b8cece2fb3da91 https://git.kernel.org/stable/c/0439d541aa8d3444ad41c39e39eb71acb57acde3 https://git.kernel.org/stable/c/91d44c1afc61a2fec37a9c7a3485368309391e0b
Powered by blists - more mailing lists