| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061834-CVE-2025-38058-fe06@gregkh> Date: Wed, 18 Jun 2025 11:33:53 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38058: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with. The Linux kernel CVE team has assigned CVE-2025-38058 to this issue. Affected and fixed versions =========================== Fixed in 5.4.294 with commit 628fb00195ce21a90cf9e4e3d105cd9e58f77b40 Fixed in 5.10.238 with commit b89eb56a378b7b2c1176787fc228d0a57172bdd5 Fixed in 5.15.185 with commit f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42 Fixed in 6.1.141 with commit 9b0915e72b3cf52474dcee0b24a2f99d93e604a3 Fixed in 6.6.93 with commit d8ece4ced3b051e656c77180df2e69e19e24edc1 Fixed in 6.12.31 with commit 8cafd7266fa02e0863bacbf872fe635c0b9725eb Fixed in 6.14.9 with commit b55996939c71a3e1a38f3cdc6a8859797efc9083 Fixed in 6.15 with commit 250cf3693060a5f803c5f1ddc082bb06b16112a9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38058 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/namespace.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/628fb00195ce21a90cf9e4e3d105cd9e58f77b40 https://git.kernel.org/stable/c/b89eb56a378b7b2c1176787fc228d0a57172bdd5 https://git.kernel.org/stable/c/f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42 https://git.kernel.org/stable/c/9b0915e72b3cf52474dcee0b24a2f99d93e604a3 https://git.kernel.org/stable/c/d8ece4ced3b051e656c77180df2e69e19e24edc1 https://git.kernel.org/stable/c/8cafd7266fa02e0863bacbf872fe635c0b9725eb https://git.kernel.org/stable/c/b55996939c71a3e1a38f3cdc6a8859797efc9083 https://git.kernel.org/stable/c/250cf3693060a5f803c5f1ddc082bb06b16112a9
Powered by blists - more mailing lists