| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122415-CVE-2025-68741-894a@gregkh> Date: Wed, 24 Dec 2025 13:10:17 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68741: scsi: qla2xxx: Fix improper freeing of purex item From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. The Linux kernel CVE team has assigned CVE-2025-68741 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6 with commit 875386b98857822b77ac7f95bdf367b70af5b78c and fixed in 6.12.63 with commit 8e9f0a0717ba31d5842721627ade1e62d7aec012 Issue introduced in 6.6 with commit 875386b98857822b77ac7f95bdf367b70af5b78c and fixed in 6.17.13 with commit cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 Issue introduced in 6.6 with commit 875386b98857822b77ac7f95bdf367b70af5b78c and fixed in 6.18.2 with commit 5fa1c8226b4532ad7011d295d3ab4ad45df105ae Issue introduced in 6.6 with commit 875386b98857822b77ac7f95bdf367b70af5b78c and fixed in 6.19-rc1 with commit 78b1a242fe612a755f2158fd206ee6bb577d18ca Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68741 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/qla2xxx/qla_nvme.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012 https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca
Powered by blists - more mailing lists