| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025041819-CVE-2025-39688-80f1@gregkh> Date: Fri, 18 Apr 2025 09:02:25 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39688: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid() The pynfs DELEG8 test fails when run against nfsd. It acquires a delegation and then lets the lease time out. It then tries to use the deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets bad NFS4ERR_BAD_STATEID instead. When a delegation is revoked, it's initially marked with SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for s FREE_STATEID call. nfs4_lookup_stateid() accepts a statusmask that includes the status flags that a found stateid is allowed to have. Currently, that mask never includes SC_STATUS_FREEABLE, which means that revoked delegations are (almost) never found. Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it from nfsd4_delegreturn() since it's now always implied. The Linux kernel CVE team has assigned CVE-2025-39688 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12 with commit 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a and fixed in 6.12.23 with commit 52e209203c35a4fbff8af23cd3613efe5df40102 Issue introduced in 6.12 with commit 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a and fixed in 6.13.11 with commit dc6f3295905d7185e71091870119a8c11c3808cc Issue introduced in 6.12 with commit 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a and fixed in 6.14.2 with commit 5bcb44e650bc4ec7eac23df90c5e011a77fa2beb Issue introduced in 6.12 with commit 8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a and fixed in 6.15-rc1 with commit d1bc15b147d35b4cb7ca99a9a7d79d41ca342c13 Issue introduced in 6.11.6 with commit 967faa26f313a62e7bebc55d5b8122eaee43b929 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39688 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfsd/nfs4state.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/52e209203c35a4fbff8af23cd3613efe5df40102 https://git.kernel.org/stable/c/dc6f3295905d7185e71091870119a8c11c3808cc https://git.kernel.org/stable/c/5bcb44e650bc4ec7eac23df90c5e011a77fa2beb https://git.kernel.org/stable/c/d1bc15b147d35b4cb7ca99a9a7d79d41ca342c13
Powered by blists - more mailing lists