| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025081627-CVE-2025-38544-a2ab@gregkh> Date: Sat, 16 Aug 2025 13:22:30 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38544: rxrpc: Fix bug due to prealloc collision From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix bug due to prealloc collision When userspace is using AF_RXRPC to provide a server, it has to preallocate incoming calls and assign to them call IDs that will be used to thread related recvmsg() and sendmsg() together. The preallocated call IDs will automatically be attached to calls as they come in until the pool is empty. To the kernel, the call IDs are just arbitrary numbers, but userspace can use the call ID to hold a pointer to prepared structs. In any case, the user isn't permitted to create two calls with the same call ID (call IDs become available again when the call ends) and EBADSLT should result from sendmsg() if an attempt is made to preallocate a call with an in-use call ID. However, the cleanup in the error handling will trigger both assertions in rxrpc_cleanup_call() because the call isn't marked complete and isn't marked as having been released. Fix this by setting the call state in rxrpc_service_prealloc_one() and then marking it as being released before calling the cleanup function. The Linux kernel CVE team has assigned CVE-2025-38544 to this issue. Affected and fixed versions =========================== Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 6.6.99 with commit 432c5363cd6fe5a928bbc94524d28b05515684dd Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 6.12.39 with commit 5385ad53793de2ab11e396bdcdaa65bb04b4dad6 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 6.15.7 with commit d8ffb47a443919277cb093c3db1ec6c0a06880b1 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 6.16 with commit 69e4186773c6445b258fb45b6e1df18df831ec45 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38544 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/rxrpc/call_accept.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/432c5363cd6fe5a928bbc94524d28b05515684dd https://git.kernel.org/stable/c/5385ad53793de2ab11e396bdcdaa65bb04b4dad6 https://git.kernel.org/stable/c/d8ffb47a443919277cb093c3db1ec6c0a06880b1 https://git.kernel.org/stable/c/69e4186773c6445b258fb45b6e1df18df831ec45
Powered by blists - more mailing lists