| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122415-CVE-2025-68742-367d@gregkh>
Date: Wed, 24 Dec 2025 13:10:18 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68742: bpf: Fix invalid prog->stats access when update_effective_progs fails
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
The Linux kernel CVE team has assigned CVE-2025-68742 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.1 with commit 492ecee892c2a4ba6a14903d5d586ff750b7e805 and fixed in 6.12.63 with commit 539137e3038ce6f953efd72110110f03c14c7d97
Issue introduced in 5.1 with commit 492ecee892c2a4ba6a14903d5d586ff750b7e805 and fixed in 6.17.13 with commit 56905bb70c8b88421709bb4e32fcba617aa37d41
Issue introduced in 5.1 with commit 492ecee892c2a4ba6a14903d5d586ff750b7e805 and fixed in 6.18.2 with commit 2579c356ccd35d06238b176e4b460978186d804b
Issue introduced in 5.1 with commit 492ecee892c2a4ba6a14903d5d586ff750b7e805 and fixed in 6.19-rc1 with commit 7dc211c1159d991db609bdf4b0fb9033c04adcbc
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68742
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/linux/filter.h
kernel/bpf/syscall.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97
https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41
https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b
https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc
Powered by blists - more mailing lists