| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025071008-CVE-2025-38273-6850@gregkh>
Date: Thu, 10 Jul 2025 09:42:14 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38273: net: tipc: fix refcount warning in tipc_aead_encrypt
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: tipc: fix refcount warning in tipc_aead_encrypt
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
The Linux kernel CVE team has assigned CVE-2025-38273 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10.238 with commit d42ed4de6aba232d946d20653a70f79158a6535b and fixed in 5.10.239 with commit 445d59025d76d0638b03110f8791d5b89ed5162d
Issue introduced in 5.15.185 with commit f5c2c4eaaa5a8e7e0685ec031d480e588e263e59 and fixed in 5.15.186 with commit e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029
Issue introduced in 6.1.141 with commit b8fcae6d2e93c54cacb8f579a77d827c1c643eb5 and fixed in 6.1.142 with commit 307391e8fe70401a6d39ecc9978e13c2c0cdf81f
Issue introduced in 6.6.93 with commit b19fc1d0be3c3397e5968fe2627f22e7f84673b1 and fixed in 6.6.94 with commit acab7ca5ff19889b80a8ee7dec220ee1a96dede9
Issue introduced in 6.12.31 with commit 689a205cd968a1572ab561b0c4c2d50a10e9d3b0 and fixed in 6.12.34 with commit c762fc79d710d676b793f9d98b1414efe6eb51e6
Issue introduced in 6.15 with commit e279024617134c94fd3e37470156534d5f2b3472 and fixed in 6.15.3 with commit 9ff60e0d9974dccf24e89bcd3ee7933e538d929f
Issue introduced in 6.15 with commit e279024617134c94fd3e37470156534d5f2b3472 and fixed in 6.16-rc1 with commit f29ccaa07cf3d35990f4d25028cc55470d29372b
Issue introduced in 6.14.9 with commit 4a0fddc2c0d5c28aec8c262ad4603be0bef1938c
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38273
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/tipc/crypto.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/445d59025d76d0638b03110f8791d5b89ed5162d
https://git.kernel.org/stable/c/e0b11227c4e8eb4bdf1b86aa8f0f3abb24e0f029
https://git.kernel.org/stable/c/307391e8fe70401a6d39ecc9978e13c2c0cdf81f
https://git.kernel.org/stable/c/acab7ca5ff19889b80a8ee7dec220ee1a96dede9
https://git.kernel.org/stable/c/c762fc79d710d676b793f9d98b1414efe6eb51e6
https://git.kernel.org/stable/c/9ff60e0d9974dccf24e89bcd3ee7933e538d929f
https://git.kernel.org/stable/c/f29ccaa07cf3d35990f4d25028cc55470d29372b
Powered by blists - more mailing lists