| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011407-CVE-2025-71102-f4be@gregkh> Date: Wed, 14 Jan 2026 16:06:07 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71102: scs: fix a wrong parameter in __scs_magic From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. The Linux kernel CVE team has assigned CVE-2025-71102 to this issue. Affected and fixed versions =========================== Issue introduced in 5.8 with commit 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and fixed in 6.1.160 with commit 57ba40b001be27786d0570dd292289df748b306b Issue introduced in 5.8 with commit 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and fixed in 6.6.120 with commit 062774439d442882b44f5eab8c256ad3423ef284 Issue introduced in 5.8 with commit 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and fixed in 6.12.64 with commit 9ef28943471a16e4f9646bc3e8e2de148e7d8d7b Issue introduced in 5.8 with commit 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and fixed in 6.18.3 with commit a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 Issue introduced in 5.8 with commit 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and fixed in 6.19-rc1 with commit 08bd4c46d5e63b78e77f2605283874bbe868ab19 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71102 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/scs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284 https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19
Powered by blists - more mailing lists