lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025102818-CVE-2025-40070-0156@gregkh>
Date: Tue, 28 Oct 2025 12:48:47 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40070: pps: fix warning in pps_register_cdev when register device fail

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

pps: fix warning in pps_register_cdev when register device fail

Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.

  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
  Modules linked in:
  CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
  RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
  Call Trace:
   <TASK>
   kobject_cleanup+0x136/0x410 lib/kobject.c:689
   kobject_release lib/kobject.c:720 [inline]
   kref_put include/linux/kref.h:65 [inline]
   kobject_put+0xe9/0x130 lib/kobject.c:737
   put_device+0x24/0x30 drivers/base/core.c:3797
   pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
   pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
   pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
   tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
   tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
   tiocsetd drivers/tty/tty_io.c:2429 [inline]
   tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:598 [inline]
   __se_sys_ioctl fs/ioctl.c:584 [inline]
   __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
   </TASK>

Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.

Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.

The Linux kernel CVE team has assigned CVE-2025-40070 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.15.179 with commit c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 and fixed in 5.15.195 with commit 125527db41805693208ee1aacd7f3ffe6a3a489c
	Issue introduced in 6.1.129 with commit 91932db1d96b2952299ce30c1c693d834d10ace6 and fixed in 6.1.156 with commit 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8
	Issue introduced in 6.6.76 with commit cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 and fixed in 6.6.112 with commit cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e
	Issue introduced in 6.12.13 with commit 7e5ee3281dc09014367f5112b6d566ba36ea2d49 and fixed in 6.12.53 with commit f01fa3588e0b3cb1540f56d2c6bd99e5b3810234
	Issue introduced in 6.14 with commit c79a39dc8d060b9e64e8b0fa9d245d44befeefbe and fixed in 6.17.3 with commit 0f97564a1fb62f34b3b498e2f12caffbe99c004a
	Issue introduced in 6.14 with commit c79a39dc8d060b9e64e8b0fa9d245d44befeefbe and fixed in 6.18-rc1 with commit b0531cdba5029f897da5156815e3bdafe1e9b88d
	Issue introduced in 5.4.291 with commit 785c78ed0d39d1717cca3ef931d3e51337b5e90e
	Issue introduced in 5.10.235 with commit 1a7735ab2cb9747518a7416fb5929e85442dec62
	Issue introduced in 6.13.2 with commit 85241f7de216f8298f6e48540ea13d7dcd100870

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-40070
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/pps/kapi.c
	drivers/pps/pps.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c
	https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8
	https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e
	https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234
	https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a
	https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ