| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090401-CVE-2025-38724-5309@gregkh> Date: Thu, 4 Sep 2025 17:33:29 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38724: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked(). The Linux kernel CVE team has assigned CVE-2025-38724 to this issue. Affected and fixed versions =========================== Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 5.4.297 with commit 3f252a73e81aa01660cb426735eab932e6182e8d Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 5.10.241 with commit d35ac850410966010e92f401f4e21868a9ea4d8b Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 5.15.190 with commit f3aac6cf390d8b80e1d82975faf4ac61175519c0 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.1.149 with commit 22f45cedf281e6171817c8a3432c44d788c550e1 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.6.103 with commit d71abd1ae4e0413707cd42b10c24a11d1aa71772 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.12.43 with commit 74ad36ed60df561a303a19ecef400c7096b20306 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.15.11 with commit 36e83eda90e0e4ac52f259f775b40b2841f8a0a3 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.16.2 with commit 571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1 Issue introduced in 3.17 with commit d20c11d86d8f821a64eac7d6c8f296f06d935f4f and fixed in 6.17-rc1 with commit 908e4ead7f757504d8b345452730636e298cbf68 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38724 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfsd/nfs4state.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3f252a73e81aa01660cb426735eab932e6182e8d https://git.kernel.org/stable/c/d35ac850410966010e92f401f4e21868a9ea4d8b https://git.kernel.org/stable/c/f3aac6cf390d8b80e1d82975faf4ac61175519c0 https://git.kernel.org/stable/c/22f45cedf281e6171817c8a3432c44d788c550e1 https://git.kernel.org/stable/c/d71abd1ae4e0413707cd42b10c24a11d1aa71772 https://git.kernel.org/stable/c/74ad36ed60df561a303a19ecef400c7096b20306 https://git.kernel.org/stable/c/36e83eda90e0e4ac52f259f775b40b2841f8a0a3 https://git.kernel.org/stable/c/571a5e46c71490285d2d8c06f6b5a7cbf6c7edd1 https://git.kernel.org/stable/c/908e4ead7f757504d8b345452730636e298cbf68
Powered by blists - more mailing lists