| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111244-CVE-2025-40186-b204@gregkh> Date: Wed, 12 Nov 2025 17:00:49 -0500 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40186: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let's remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ> The Linux kernel CVE team has assigned CVE-2025-40186 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4.300 with commit 7ec092a91ff351dcde89c23e795b73a328274db6 and fixed in 5.4.301 with commit e359b742eac1eac75cff4e38ee2e8cea492acd9b Issue introduced in 5.10.245 with commit a4378dedd6e07e62f2fccb17d78c9665718763d0 and fixed in 5.10.246 with commit ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d Issue introduced in 5.15.194 with commit 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 and fixed in 5.15.195 with commit eb85ad5f23268d64b037bfb545cbcba3752f90c7 Issue introduced in 6.1.154 with commit 17d699727577814198d744d6afe54735c6b54c99 and fixed in 6.1.157 with commit 643a94b0cf767325e953591c212be2eb826b9d7f Issue introduced in 6.6.108 with commit dfd06131107e7b699ef1e2a24ed2f7d17c917753 and fixed in 6.6.113 with commit 422c1c173c39bbbae1e0eaaf8aefe40b2596233b Issue introduced in 6.12.49 with commit fa4749c065644af4db496b338452a69a3e5147d9 and fixed in 6.12.54 with commit c11ace909e873118295e9eb22dc8c58b0b50eb32 Issue introduced in 6.17 with commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 and fixed in 6.17.4 with commit 64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 Issue introduced in 6.17 with commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 and fixed in 6.18-rc1 with commit 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c Issue introduced in 6.16.9 with commit ae313d14b45eca7a6bb29cb9bf396d977e7d28fb Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40186 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/tcp_input.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7 https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32 https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c
Powered by blists - more mailing lists