lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100419-CVE-2025-39945-84d4@gregkh>
Date: Sat,  4 Oct 2025 09:33:29 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39945: cnic: Fix use-after-free bugs in cnic_delete_task

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

cnic: Fix use-after-free bugs in cnic_delete_task

The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
which does not guarantee that the delayed work item 'delete_task' has
fully completed if it was already running. Additionally, the delayed work
item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only
blocks and waits for work items that were already queued to the
workqueue prior to its invocation. Any work items submitted after
flush_workqueue() is called are not included in the set of tasks that the
flush operation awaits. This means that after the cyclic work items have
finished executing, a delayed work item may still exist in the workqueue.
This leads to use-after-free scenarios where the cnic_dev is deallocated
by cnic_free_dev(), while delete_task remains active and attempt to
dereference cnic_dev in cnic_delete_task().

A typical race condition is illustrated below:

CPU 0 (cleanup)              | CPU 1 (delayed work callback)
cnic_netdev_event()          |
  cnic_stop_hw()             | cnic_delete_task()
    cnic_cm_stop_bnx2x_hw()  | ...
      cancel_delayed_work()  | /* the queue_delayed_work()
      flush_workqueue()      |    executes after flush_workqueue()*/
                             | queue_delayed_work()
  cnic_free_dev(dev)//free   | cnic_delete_task() //new instance
                             |   dev = cp->dev; //use

Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the cyclic delayed work item is properly canceled and that any
ongoing execution of the work item completes before the cnic_dev is
deallocated. Furthermore, since cancel_delayed_work_sync() uses
__flush_work(work, true) to synchronously wait for any currently
executing instance of the work item to finish, the flush_workqueue()
becomes redundant and should be removed.

This bug was identified through static analysis. To reproduce the issue
and validate the fix, I simulated the cnic PCI device in QEMU and
introduced intentional delays — such as inserting calls to ssleep()
within the cnic_delete_task() function — to increase the likelihood
of triggering the bug.

The Linux kernel CVE team has assigned CVE-2025-39945 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.37 with commit fdf24086f4752aee5dfb40143c736250df017820 and fixed in 6.1.154 with commit e1fcd4a9c09feac0902a65615e866dbf22616125
	Issue introduced in 2.6.37 with commit fdf24086f4752aee5dfb40143c736250df017820 and fixed in 6.6.108 with commit 8eeb2091e72d75df8ceaa2172638d61b4cf8929a
	Issue introduced in 2.6.37 with commit fdf24086f4752aee5dfb40143c736250df017820 and fixed in 6.12.49 with commit 6e33a7eed587062ca8161ad1f4584882a860d697
	Issue introduced in 2.6.37 with commit fdf24086f4752aee5dfb40143c736250df017820 and fixed in 6.16.9 with commit 0627e1481676669cae2df0d85b5ff13e7d24c390
	Issue introduced in 2.6.37 with commit fdf24086f4752aee5dfb40143c736250df017820 and fixed in 6.17 with commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39945
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/cnic.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e1fcd4a9c09feac0902a65615e866dbf22616125
	https://git.kernel.org/stable/c/8eeb2091e72d75df8ceaa2172638d61b4cf8929a
	https://git.kernel.org/stable/c/6e33a7eed587062ca8161ad1f4584882a860d697
	https://git.kernel.org/stable/c/0627e1481676669cae2df0d85b5ff13e7d24c390
	https://git.kernel.org/stable/c/cfa7d9b1e3a8604afc84e9e51d789c29574fb216

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ