| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025041658-CVE-2025-22036-6469@gregkh>
Date: Wed, 16 Apr 2025 16:12:07 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-22036: exfat: fix random stack corruption after get_block
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix random stack corruption after get_block
When get_block is called with a buffer_head allocated on the stack, such
as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
the following race condition situation.
<CPU 0> <CPU 1>
mpage_read_folio
<<bh on stack>>
do_mpage_readpage
exfat_get_block
bh_read
__bh_read
get_bh(bh)
submit_bh
wait_on_buffer
...
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
<<keep going>>
...
...
...
...
<<bh is not valid out of mpage_read_folio>>
.
.
another_function
<<variable A on stack>>
put_bh(bh)
atomic_dec(bh->b_count)
* stack corruption here *
This patch returns -EAGAIN if a folio does not have buffers when bh_read
needs to be called. By doing this, the caller can fallback to functions
like block_read_full_folio(), create a buffer_head in the folio, and then
call get_block again.
Let's do not call bh_read() with on-stack buffer_head.
The Linux kernel CVE team has assigned CVE-2025-22036 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.8 with commit 11a347fb6cef62ce47e84b97c45f2b2497c7593b and fixed in 6.12.23 with commit 49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2
Issue introduced in 6.8 with commit 11a347fb6cef62ce47e84b97c45f2b2497c7593b and fixed in 6.13.11 with commit f7447286363dc1e410bf30b87d75168f3519f9cc
Issue introduced in 6.8 with commit 11a347fb6cef62ce47e84b97c45f2b2497c7593b and fixed in 6.14.2 with commit f807a6bf2005740fa26b4f59c4a003dc966b9afd
Issue introduced in 6.8 with commit 11a347fb6cef62ce47e84b97c45f2b2497c7593b and fixed in 6.15-rc1 with commit 1bb7ff4204b6d4927e982cd256286c09ed4fd8ca
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-22036
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/exfat/inode.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2
https://git.kernel.org/stable/c/f7447286363dc1e410bf30b87d75168f3519f9cc
https://git.kernel.org/stable/c/f807a6bf2005740fa26b4f59c4a003dc966b9afd
https://git.kernel.org/stable/c/1bb7ff4204b6d4927e982cd256286c09ed4fd8ca
Powered by blists - more mailing lists