| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061830-CVE-2025-38048-4dc4@gregkh> Date: Wed, 18 Jun 2025 11:33:44 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38048: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy. The Linux kernel CVE team has assigned CVE-2025-38048 to this issue. Affected and fixed versions =========================== Fixed in 5.15.185 with commit 02d2d6caee3abc9335cfca35f8eb4492173ae6f2 Fixed in 6.1.141 with commit b6d6419548286b2b9d2b90df824d3cab797f6ae8 Fixed in 6.6.93 with commit b49b5132e4c7307599492aee1cdc6d89f7f2a7da Fixed in 6.12.31 with commit b730cb109633c455ce8a7cd6934986c6a16d88d8 Fixed in 6.14.9 with commit 4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 Fixed in 6.15 with commit 2e2f925fe737576df2373931c95e1a2b66efdfef Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38048 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/virtio/virtio_ring.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2 https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8 https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8 https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef
Powered by blists - more mailing lists