| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121631-CVE-2025-68214-1871@gregkh> Date: Tue, 16 Dec 2025 14:57:33 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68214: timers: Fix NULL function pointer race in timer_shutdown_sync() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. The Linux kernel CVE team has assigned CVE-2025-68214 to this issue. Affected and fixed versions =========================== Issue introduced in 6.1.158 with commit 334c33aa487be406a149c8b87c38c8399d2dba8d and fixed in 6.1.159 with commit 1a975716cc8977f461e45e28e3e5977d46ad7a6a Issue introduced in 6.2 with commit 0cc04e80458a822300b93f82ed861a513edde194 and fixed in 6.6.118 with commit 6665fbd7730b26d770c232b20d1b907e6a67a914 Issue introduced in 6.2 with commit 0cc04e80458a822300b93f82ed861a513edde194 and fixed in 6.12.60 with commit 176725f4848376530a0f0da9023f956afcc33585 Issue introduced in 6.2 with commit 0cc04e80458a822300b93f82ed861a513edde194 and fixed in 6.17.10 with commit a01efa7a780c42ac5170a949bd95c9786ffcc60a Issue introduced in 6.2 with commit 0cc04e80458a822300b93f82ed861a513edde194 and fixed in 6.18 with commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68214 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/time/timer.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914 https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585 https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c
Powered by blists - more mailing lists