lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025122401-CVE-2025-68372-98d0@gregkh>
Date: Wed, 24 Dec 2025 11:35:17 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68372: nbd: defer config put in recv_work

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

nbd: defer config put in recv_work

There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
  nbd_genl_connect     // conf_ref=2 (connect and recv_work A)
  nbd_open	       // conf_ref=3
  recv_work A done     // conf_ref=2
  NBD_CLEAR_SOCK       // conf_ref=1
  nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
  close nbd	       // conf_ref=1
  recv_work B
    config_put         // conf_ref=0
    atomic_dec(&config->recv_threads); -> UAF

Or only running NBD_CLEAR_SOCK:
  nbd_genl_connect   // conf_ref=2
  nbd_open 	     // conf_ref=3
  NBD_CLEAR_SOCK     // conf_ref=2
  close nbd
    nbd_release
      config_put     // conf_ref=1
  recv_work
    config_put 	     // conf_ref=0
    atomic_dec(&config->recv_threads); -> UAF

Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.

However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.

Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.

In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):

path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
  connect  // nbd_refs=1 (trigger recv_work)
  open nbd // nbd_refs=2
  NBD_CLEAR_SOCK
  close nbd
    nbd_release
      nbd_disconnect_and_put
        flush_workqueue // recv_work done
      nbd_config_put
        nbd_put // nbd_refs=1
      nbd_put // nbd_refs=0
        queue_work

path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
  connect  // nbd_refs=2 (trigger recv_work)
  open nbd // nbd_refs=3
  NBD_CLEAR_SOCK // conf_refs=2
  close nbd
    nbd_release
      nbd_config_put // conf_refs=1
      nbd_put // nbd_refs=2
  recv_work done // conf_refs=0, nbd_refs=1
  rmmod // nbd_refs=0

Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")

The Linux kernel CVE team has assigned CVE-2025-68372 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.10 with commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 and fixed in 6.12.63 with commit 6b69593f72e1bfba6ca47ca8d9b619341fded7d6
	Issue introduced in 5.10 with commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 and fixed in 6.17.13 with commit 443a1721806b6ff6303b5229e9811d68172d622f
	Issue introduced in 5.10 with commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 and fixed in 6.18.2 with commit 742012f6bf29553fdc460bf646a58df3a7b43d01
	Issue introduced in 5.10 with commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 and fixed in 6.19-rc1 with commit 9517b82d8d422d426a988b213fdd45c6b417b86d
	Issue introduced in 4.14.204 with commit 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8
	Issue introduced in 4.19.155 with commit 2ef6f4bd60411934e3fc2715442c2afe70f84bf3
	Issue introduced in 5.4.75 with commit 742fd49cf811ca164489e339b862e3fb8e240a73
	Issue introduced in 5.9.5 with commit 14df8724aeeef338172e2a2d6efadc989921ca0f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-68372
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/block/nbd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6
	https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f
	https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01
	https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ