| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025040131-CVE-2025-21919-5f2a@gregkh> Date: Tue, 1 Apr 2025 16:39:43 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list Description =========== In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes. The Linux kernel CVE team has assigned CVE-2025-21919 to this issue. Affected and fixed versions =========================== Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 5.15.179 with commit 5cb300dcdd27e6a351ac02541e0231261c775852 Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 6.1.131 with commit 000c9ee43928f2ce68a156dd40bab7616256f4dd Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 6.6.83 with commit 9cc7f0018609f75a349e42e3aebc3b0e905ba775 Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 6.12.19 with commit b5741e4b9ef3567613b2351384f91d3f16e59986 Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 6.13.7 with commit e1dd09df30ba86716cb2ffab97dc35195c01eb8f Issue introduced in 5.13 with commit fdaba61ef8a268d4136d0a113d153f7a89eb9984 and fixed in 6.14 with commit 3b4035ddbfc8e4521f85569998a7569668cccf51 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21919 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/sched/fair.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852 https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775 https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986 https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51
Powered by blists - more mailing lists