| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070429-CVE-2025-38231-c61c@gregkh> Date: Fri, 4 Jul 2025 15:38:00 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38231: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_work allows sufficient time for nfsd_ssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4_state_start_net -> nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the delayed work may start before nfsd_ssc initialization finishes. Fix this by moving nfsd_ssc initialization before starting laundromat_work. The Linux kernel CVE team has assigned CVE-2025-38231 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.220 with commit a4bc287943f5695209ff36bdc89f17b48d68fae7 and fixed in 5.10.239 with commit deaeb74ae9318252829c59a84a7d2316fc335660 Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 5.15.186 with commit 0fccf5f01ed28725cc313a66ca1247eef911d55e Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 6.1.142 with commit a97668ec6d73dab237cd1c15efe012a10090a4ed Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 6.6.95 with commit 5060e1a5fef184bd11d298e3f0ee920d96a23236 Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 6.12.35 with commit d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0 Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 6.15.4 with commit 83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64 Issue introduced in 5.14 with commit f4e44b393389c77958f7c58bf4415032b4cda15b and fixed in 6.16-rc1 with commit b31da62889e6d610114d81dc7a6edbcaa503fcf8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38231 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfsd/nfssvc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/deaeb74ae9318252829c59a84a7d2316fc335660 https://git.kernel.org/stable/c/0fccf5f01ed28725cc313a66ca1247eef911d55e https://git.kernel.org/stable/c/a97668ec6d73dab237cd1c15efe012a10090a4ed https://git.kernel.org/stable/c/5060e1a5fef184bd11d298e3f0ee920d96a23236 https://git.kernel.org/stable/c/d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0 https://git.kernel.org/stable/c/83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64 https://git.kernel.org/stable/c/b31da62889e6d610114d81dc7a6edbcaa503fcf8
Powered by blists - more mailing lists