lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025041654-CVE-2025-22025-41c4@gregkh>
Date: Wed, 16 Apr 2025 16:11:56 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-22025: nfsd: put dl_stid if fail to queue dl_recall

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

nfsd: put dl_stid if fail to queue dl_recall

Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
increment the reference count of dl_stid.
We expect that after the corresponding work_struct is processed, the
reference count of dl_stid will be decremented through the callback
function nfsd4_cb_recall_release.
However, if the call to nfsd4_run_cb fails, the incremented reference
count of dl_stid will not be decremented correspondingly, leading to the
following nfs4_stid leak:
unreferenced object 0xffff88812067b578 (size 344):
  comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
  hex dump (first 32 bytes):
    01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff  ....kkkk........
    00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  .kkkkkkk.....N..
  backtrace:
    kmem_cache_alloc+0x4b9/0x700
    nfsd4_process_open1+0x34/0x300
    nfsd4_open+0x2d1/0x9d0
    nfsd4_proc_compound+0x7a2/0xe30
    nfsd_dispatch+0x241/0x3e0
    svc_process_common+0x5d3/0xcc0
    svc_process+0x2a3/0x320
    nfsd+0x180/0x2e0
    kthread+0x199/0x1d0
    ret_from_fork+0x30/0x50
    ret_from_fork_asm+0x1b/0x30
unreferenced object 0xffff8881499f4d28 (size 368):
  comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff  ........0M.I....
    30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00  0M.I.... .......
  backtrace:
    kmem_cache_alloc+0x4b9/0x700
    nfs4_alloc_stid+0x29/0x210
    alloc_init_deleg+0x92/0x2e0
    nfs4_set_delegation+0x284/0xc00
    nfs4_open_delegation+0x216/0x3f0
    nfsd4_process_open2+0x2b3/0xee0
    nfsd4_open+0x770/0x9d0
    nfsd4_proc_compound+0x7a2/0xe30
    nfsd_dispatch+0x241/0x3e0
    svc_process_common+0x5d3/0xcc0
    svc_process+0x2a3/0x320
    nfsd+0x180/0x2e0
    kthread+0x199/0x1d0
    ret_from_fork+0x30/0x50
    ret_from_fork_asm+0x1b/0x30
Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
fail to queue dl_recall.

The Linux kernel CVE team has assigned CVE-2025-22025 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1
	Fixed in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86
	Fixed in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd
	Fixed in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
	Fixed in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8
	Fixed in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7
	Fixed in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609
	Fixed in 6.15-rc1 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22025
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/nfsd/nfs4state.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
	https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
	https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
	https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
	https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
	https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
	https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
	https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ