| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070935-CVE-2025-38255-57aa@gregkh> Date: Wed, 9 Jul 2025 12:42:47 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38255: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__bitmap_or+0x48/0x70 Call Trace: <TASK> __group_cpus_evenly+0x822/0x8c0 group_cpus_evenly+0x2d9/0x490 blk_mq_map_queues+0x1e/0x110 null_map_queues+0xc9/0x170 [null_blk] blk_mq_update_queue_map+0xdb/0x160 blk_mq_update_nr_hw_queues+0x22b/0x560 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_poll_queues_store+0xa4/0x130 [null_blk] configfs_write_iter+0x109/0x1d0 vfs_write+0x26e/0x6f0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x45c4/0x45f0 do_syscall_64+0xa5/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from kcalloc(), and later ZERO_SIZE_PTR will be deferenced. Fix the problem by checking numgrps first in group_cpus_evenly(), and return NULL directly if numgrps is zero. [yukuai3@...wei.com: also fix the non-SMP version] The Linux kernel CVE team has assigned CVE-2025-38255 to this issue. Affected and fixed versions =========================== Issue introduced in 6.3 with commit 6a6dcae8f486c3f3298d0767d34505121c7b0b81 and fixed in 6.6.96 with commit 64a99eff8dcf1f951a544e6058341b2b19a8fdbd Issue introduced in 6.3 with commit 6a6dcae8f486c3f3298d0767d34505121c7b0b81 and fixed in 6.12.36 with commit 29d39e0d5f16c060e32542b2cf351c09fd22b250 Issue introduced in 6.3 with commit 6a6dcae8f486c3f3298d0767d34505121c7b0b81 and fixed in 6.15.5 with commit 911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65 Issue introduced in 6.3 with commit 6a6dcae8f486c3f3298d0767d34505121c7b0b81 and fixed in 6.16-rc4 with commit df831e97739405ecbaddb85516bc7d4d1c933d6b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38255 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: lib/group_cpus.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/64a99eff8dcf1f951a544e6058341b2b19a8fdbd https://git.kernel.org/stable/c/29d39e0d5f16c060e32542b2cf351c09fd22b250 https://git.kernel.org/stable/c/911ef2e8a7de5b2bae8ff11fb0bd01f699e6db65 https://git.kernel.org/stable/c/df831e97739405ecbaddb85516bc7d4d1c933d6b
Powered by blists - more mailing lists