lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025052057-CVE-2025-37905-ed8c@gregkh>
Date: Tue, 20 May 2025 17:22:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37905: firmware: arm_scmi: Balance device refcount when destroying devices

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Balance device refcount when destroying devices

Using device_find_child() to lookup the proper SCMI device to destroy
causes an unbalance in device refcount, since device_find_child() calls an
implicit get_device(): this, in turns, inhibits the call of the provided
release methods upon devices destruction.

As a consequence, one of the structures that is not freed properly upon
destruction is the internal struct device_private dev->p populated by the
drivers subsystem core.

KMemleak detects this situation since loading/unloding some SCMI driver
causes related devices to be created/destroyed without calling any
device_release method.

unreferenced object 0xffff00000f583800 (size 512):
  comm "insmod", pid 227, jiffies 4294912190
  hex dump (first 32 bytes):
    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
    ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff  ........`6......
  backtrace (crc 114e2eed):
    kmemleak_alloc+0xbc/0xd8
    __kmalloc_cache_noprof+0x2dc/0x398
    device_add+0x954/0x12d0
    device_register+0x28/0x40
    __scmi_device_create.part.0+0x1bc/0x380
    scmi_device_create+0x2d0/0x390
    scmi_create_protocol_devices+0x74/0xf8
    scmi_device_request_notifier+0x1f8/0x2a8
    notifier_call_chain+0x110/0x3b0
    blocking_notifier_call_chain+0x70/0xb0
    scmi_driver_register+0x350/0x7f0
    0xffff80000a3b3038
    do_one_initcall+0x12c/0x730
    do_init_module+0x1dc/0x640
    load_module+0x4b20/0x5b70
    init_module_from_file+0xec/0x158

$ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0
device_add+0x954/0x12d0:
kmalloc_noprof at include/linux/slab.h:901
(inlined by) kzalloc_noprof at include/linux/slab.h:1037
(inlined by) device_private_init at drivers/base/core.c:3510
(inlined by) device_add at drivers/base/core.c:3561

Balance device refcount by issuing a put_device() on devices found via
device_find_child().

The Linux kernel CVE team has assigned CVE-2025-37905 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 5.15.182 with commit 91ff1e9652fb9beb0174267d6bb38243dff211bb
	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 6.1.138 with commit ff4273d47da81b95ed9396110bcbd1b7b7470fe8
	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 6.6.90 with commit 2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3
	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 6.12.28 with commit 969d8beaa2e374387bf9aa5602ef84fc50bb48d8
	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 6.14.6 with commit 8a8a3547d5c4960da053df49c75bf623827a25da
	Issue introduced in 5.13 with commit d4f9dddd21f39395c62ea12d3d91239637d4805f and fixed in 6.15-rc6 with commit 9ca67840c0ddf3f39407339624cef824a4f27599

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37905
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/firmware/arm_scmi/bus.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb
	https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8
	https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3
	https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8
	https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da
	https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ