| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090548-CVE-2025-39698-41e0@gregkh> Date: Fri, 5 Sep 2025 19:21:11 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39698: io_uring/futex: ensure io_futex_wait() cleans up properly on failure From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this. The Linux kernel CVE team has assigned CVE-2025-39698 to this issue. Affected and fixed versions =========================== Issue introduced in 6.7 with commit 194bb58c6090e39bd7d9b9c888a079213628e1f6 and fixed in 6.12.44 with commit d9f93172820a53ab42c4b0e5e65291f4f9d00ad2 Issue introduced in 6.7 with commit 194bb58c6090e39bd7d9b9c888a079213628e1f6 and fixed in 6.16.4 with commit d34c04152df517c59979b4bf2a47f491e06d3256 Issue introduced in 6.7 with commit 194bb58c6090e39bd7d9b9c888a079213628e1f6 and fixed in 6.17-rc3 with commit 508c1314b342b78591f51c4b5dadee31a88335df Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39698 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: io_uring/futex.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d9f93172820a53ab42c4b0e5e65291f4f9d00ad2 https://git.kernel.org/stable/c/d34c04152df517c59979b4bf2a47f491e06d3256 https://git.kernel.org/stable/c/508c1314b342b78591f51c4b5dadee31a88335df
Powered by blists - more mailing lists