lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025082232-CVE-2025-38632-70e1@gregkh>
Date: Fri, 22 Aug 2025 18:00:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38632: pinmux: fix race causing mux_owner NULL with active mux_usecount

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

pinmux: fix race causing mux_owner NULL with active mux_usecount

commit 5a3e85c3c397 ("pinmux: Use sequential access to access
desc->pinmux data") tried to address the issue when two client of the
same gpio calls pinctrl_select_state() for the same functionality, was
resulting in NULL pointer issue while accessing desc->mux_owner.
However, issue was not completely fixed due to the way it was handled
and it can still result in the same NULL pointer.

The issue occurs due to the following interleaving:

     cpu0 (process A)                   cpu1 (process B)

      pin_request() {                   pin_free() {

                                         mutex_lock()
                                         desc->mux_usecount--; //becomes 0
                                         ..
                                         mutex_unlock()

  mutex_lock(desc->mux)
  desc->mux_usecount++; // becomes 1
  desc->mux_owner = owner;
  mutex_unlock(desc->mux)

                                         mutex_lock(desc->mux)
                                         desc->mux_owner = NULL;
                                         mutex_unlock(desc->mux)

This sequence leads to a state where the pin appears to be in use
(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can
cause NULL pointer on next pin_request on the same pin.

Ensure that updates to mux_usecount and mux_owner are performed
atomically under the same lock. Only clear mux_owner when mux_usecount
reaches zero and no new owner has been assigned.

The Linux kernel CVE team has assigned CVE-2025-38632 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.6.66 with commit 2da32aed4a97ca1d70fb8b77926f72f30ce5fb4b and fixed in 6.6.102 with commit 9b2a3e7189028aa7c4d53a84364f2ea9fb209787
	Issue introduced in 6.12.5 with commit c11e2ec9a780f54982a187ee10ffd1b810715c85 and fixed in 6.12.42 with commit 9ea3f6b9a67be3476e331ce51cac316c2614a564
	Issue introduced in 6.13 with commit 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e and fixed in 6.15.10 with commit b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804
	Issue introduced in 6.13 with commit 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e and fixed in 6.16.1 with commit 22b585cbd67d14df3b91529d1b990661c300faa9
	Issue introduced in 6.13 with commit 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e and fixed in 6.17-rc1 with commit 0b075c011032f88d1cfde3b45d6dcf08b44140eb

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38632
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/pinctrl/pinmux.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/9b2a3e7189028aa7c4d53a84364f2ea9fb209787
	https://git.kernel.org/stable/c/9ea3f6b9a67be3476e331ce51cac316c2614a564
	https://git.kernel.org/stable/c/b7bd6e3971eb7f0e34d2fdce1b18b08094e0c804
	https://git.kernel.org/stable/c/22b585cbd67d14df3b91529d1b990661c300faa9
	https://git.kernel.org/stable/c/0b075c011032f88d1cfde3b45d6dcf08b44140eb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ