| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025072229-CVE-2025-38352-f1de@gregkh> Date: Tue, 22 Jul 2025 10:04:30 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. The Linux kernel CVE team has assigned CVE-2025-38352 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 5.4.295 with commit 78a4b8e3795b31dae58762bc091bb0f4f74a2200 Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 5.10.239 with commit c076635b3a42771ace7d276de8dc3bc76ee2ba1b Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 5.15.186 with commit 2f3daa04a9328220de46f0d5c919a6c0073a9f0b Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 6.1.142 with commit 764a7a5dfda23f69919441f2eac2a83e7db6e5bb Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 6.6.94 with commit 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 6.12.34 with commit c29d5318708e67ac13c1b6fc1007d179fb65b4d7 Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 6.15.3 with commit 460188bc042a3f40f72d34b9f7fc6ee66b0b757b Issue introduced in 2.6.36 with commit 0bdd2ed4138ec04e09b4f8165981efc99e439f55 and fixed in 6.16-rc2 with commit f90fff1e152dedf52b932240ebbd670d83330eca Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38352 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/time/posix-cpu-timers.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200 https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7 https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca
Powered by blists - more mailing lists