lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025061837-CVE-2025-38066-b3f6@gregkh>
Date: Wed, 18 Jun 2025 11:34:01 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38066: dm cache: prevent BUG_ON by blocking retries on failed device resumes

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm cache: prevent BUG_ON by blocking retries on failed device resumes

A cache device failing to resume due to mapping errors should not be
retried, as the failure leaves a partially initialized policy object.
Repeating the resume operation risks triggering BUG_ON when reloading
cache mappings into the incomplete policy object.

Reproduce steps:

1. create a cache metadata consisting of 512 or more cache blocks,
   with some mappings stored in the first array block of the mapping
   array. Here we use cache_restore v1.0 to build the metadata.

cat <<EOF >> cmeta.xml
<superblock uuid="" block_size="128" nr_cache_blocks="512" \
policy="smq" hint_width="4">
  <mappings>
    <mapping cache_block="0" origin_block="0" dirty="false"/>
  </mappings>
</superblock>
EOF
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2
dmsetup remove cmeta

2. wipe the second array block of the mapping array to simulate
   data degradations.

mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \
2>/dev/null | hexdump -e '1/8 "%u\n"')
ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \
2>/dev/null | hexdump -e '1/8 "%u\n"')
dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

3. try bringing up the cache device. The resume is expected to fail
   due to the broken array block.

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dmsetup create cache --notable
dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup resume cache

4. try resuming the cache again. An unexpected BUG_ON is triggered
   while loading cache mappings.

dmsetup resume cache

Kernel logs:

(snip)
------------[ cut here ]------------
kernel BUG at drivers/md/dm-cache-policy-smq.c:752!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3
RIP: 0010:smq_load_mapping+0x3e5/0x570

Fix by disallowing resume operations for devices that failed the
initial attempt.

The Linux kernel CVE team has assigned CVE-2025-38066 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.4.294 with commit c614584c2a66b538f469089ac089457a34590c14
	Fixed in 5.10.238 with commit c5356a5e80442131e2714d0d26bb110590e4e568
	Fixed in 5.15.185 with commit 025c8f477625eb39006ded650e7d027bcfb20e79
	Fixed in 6.1.141 with commit 00586b78eeb7c626a14ca13453a1631f88a7cf36
	Fixed in 6.6.93 with commit 3986ef4a9b6a0d9c28bc325d8713beba5e67586f
	Fixed in 6.12.31 with commit cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0
	Fixed in 6.14.9 with commit f3128e3074e8af565cc6a66fe3384a56df87f803
	Fixed in 6.15 with commit 5da692e2262b8f81993baa9592f57d12c2703dea

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38066
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-cache-target.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14
	https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568
	https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79
	https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36
	https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f
	https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0
	https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803
	https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ