| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120458-CVE-2025-40223-66bd@gregkh> Date: Thu, 4 Dec 2025 16:31:58 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40223: most: usb: Fix use-after-free in hdm_disconnect From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below. The Linux kernel CVE team has assigned CVE-2025-40223 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 5.10.246 with commit 5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 5.15.196 with commit 578eb18cd111addec94c43f61cd4b4429e454809 Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 6.1.158 with commit 33daf469f5294b9d07c4fc98216cace9f4f34cc6 Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 6.6.115 with commit 72427dc6f87523995f4e6ae35a948bb2992cabce Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 6.12.56 with commit f93a84ffb884d761a9d4e869ba29c238711e81f1 Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 6.17.6 with commit 3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 Issue introduced in 5.9 with commit 97a6f772f36b7f52bcfa56a581bbd2470cffe23d and fixed in 6.18 with commit 4b1270902609ef0d935ed2faa2ea6d122bd148f5 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40223 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/most/most_usb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809 https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6 https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1 https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5
Powered by blists - more mailing lists