CVE-2025-21739 (GCVE-0-2025-21739)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 07:20
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup
References
Impacted products
Vendor Product Version
Linux Linux Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350
Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350
Version: d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21739",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:30.354249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.857Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c",
            "drivers/ufs/host/ufshcd-pci.c",
            "drivers/ufs/host/ufshcd-pltfrm.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c77c0d754fe83cb154715fcfec6c3faef94f207",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            },
            {
              "lessThan": "9c185beae09a3eb85f54777edafa227f7e03075d",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            },
            {
              "lessThan": "f8fb2403ddebb5eea0033d90d9daae4c88749ada",
              "status": "affected",
              "version": "d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufshcd.c",
            "drivers/ufs/host/ufshcd-pci.c",
            "drivers/ufs/host/ufshcd-pltfrm.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix use-after free in init error and remove paths\n\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\nthe associated (platform-) device is being released. For UFS, the\ncrypto private data and pointers are stored as part of the ufs_hba\u0027s\ndata structure \u0027struct ufs_hba::crypto_profile\u0027. This structure is\nallocated as part of the underlying ufshcd and therefore Scsi_host\nallocation.\n\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\nthis structure is released as part of ufshcd_dealloc_host() before the\n(platform-) device associated with the crypto call above is released.\nOnce this device is released, the crypto cleanup code will run, using\nthe just-released \u0027struct ufs_hba::crypto_profile\u0027. This causes a\nuse-after-free situation:\n\n  Call trace:\n   kfree+0x60/0x2d8 (P)\n   kvfree+0x44/0x60\n   blk_crypto_profile_destroy_callback+0x28/0x70\n   devm_action_release+0x1c/0x30\n   release_nodes+0x6c/0x108\n   devres_release_all+0x98/0x100\n   device_unbind_cleanup+0x20/0x70\n   really_probe+0x218/0x2d0\n\nIn other words, the initialisation code flow is:\n\n  platform-device probe\n    ufshcd_pltfrm_init()\n      ufshcd_alloc_host()\n        scsi_host_alloc()\n          allocation of struct ufs_hba\n          creation of scsi-host devices\n    devm_blk_crypto_profile_init()\n      devm registration of cleanup handler using platform-device\n\nand during error handling of ufshcd_pltfrm_init() or during driver\nremoval:\n\n  ufshcd_dealloc_host()\n    scsi_host_put()\n      put_device(scsi-host)\n        release of struct ufs_hba\n  put_device(platform-device)\n    crypto cleanup handler\n\nTo fix this use-after free, change ufshcd_alloc_host() to register a\ndevres action to automatically cleanup the underlying SCSI device on\nufshcd destruction, without requiring explicit calls to\nufshcd_dealloc_host(). This way:\n\n    * the crypto profile and all other ufs_hba-owned resources are\n      destroyed before SCSI (as they\u0027ve been registered after)\n    * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\n      side-effect\n    * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\n      it\u0027s not needed anymore\n    * no future drivers using ufshcd_alloc_host() could ever forget\n      adding the cleanup"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:07.040Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada"
        }
      ],
      "title": "scsi: ufs: core: Fix use-after free in init error and remove paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21739",
    "datePublished": "2025-02-27T02:12:14.581Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2025-05-04T07:20:07.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21739\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:14.530\",\"lastModified\":\"2025-03-24T17:12:42.593\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: core: Fix use-after free in init error and remove paths\\n\\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\\nthe associated (platform-) device is being released. For UFS, the\\ncrypto private data and pointers are stored as part of the ufs_hba\u0027s\\ndata structure \u0027struct ufs_hba::crypto_profile\u0027. This structure is\\nallocated as part of the underlying ufshcd and therefore Scsi_host\\nallocation.\\n\\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\\nthis structure is released as part of ufshcd_dealloc_host() before the\\n(platform-) device associated with the crypto call above is released.\\nOnce this device is released, the crypto cleanup code will run, using\\nthe just-released \u0027struct ufs_hba::crypto_profile\u0027. This causes a\\nuse-after-free situation:\\n\\n  Call trace:\\n   kfree+0x60/0x2d8 (P)\\n   kvfree+0x44/0x60\\n   blk_crypto_profile_destroy_callback+0x28/0x70\\n   devm_action_release+0x1c/0x30\\n   release_nodes+0x6c/0x108\\n   devres_release_all+0x98/0x100\\n   device_unbind_cleanup+0x20/0x70\\n   really_probe+0x218/0x2d0\\n\\nIn other words, the initialisation code flow is:\\n\\n  platform-device probe\\n    ufshcd_pltfrm_init()\\n      ufshcd_alloc_host()\\n        scsi_host_alloc()\\n          allocation of struct ufs_hba\\n          creation of scsi-host devices\\n    devm_blk_crypto_profile_init()\\n      devm registration of cleanup handler using platform-device\\n\\nand during error handling of ufshcd_pltfrm_init() or during driver\\nremoval:\\n\\n  ufshcd_dealloc_host()\\n    scsi_host_put()\\n      put_device(scsi-host)\\n        release of struct ufs_hba\\n  put_device(platform-device)\\n    crypto cleanup handler\\n\\nTo fix this use-after free, change ufshcd_alloc_host() to register a\\ndevres action to automatically cleanup the underlying SCSI device on\\nufshcd destruction, without requiring explicit calls to\\nufshcd_dealloc_host(). This way:\\n\\n    * the crypto profile and all other ufs_hba-owned resources are\\n      destroyed before SCSI (as they\u0027ve been registered after)\\n    * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\\n      side-effect\\n    * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\\n      it\u0027s not needed anymore\\n    * no future drivers using ufshcd_alloc_host() could ever forget\\n      adding the cleanup\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registra un controlador de depuraci\u00f3n para ejecutarse cuando se libera el dispositivo (de plataforma) asociado. Para UFS, los datos privados de cifrado y los punteros se almacenan como parte de la estructura de datos de ufs_hba \u0027struct ufs_hba::crypto_profile\u0027. Esta estructura se asigna como parte de la asignaci\u00f3n subyacente de ufshcd y, por lo tanto, de Scsi_host. Durante el lanzamiento del controlador o durante la gesti\u00f3n de errores en ufshcd_pltfrm_init(), esta estructura se libera como parte de ufshcd_dealloc_host() antes de que se libere el dispositivo (de plataforma) asociado con la llamada criptogr\u00e1fica anterior. Una vez que se libera este dispositivo, se ejecutar\u00e1 el c\u00f3digo de depuraci\u00f3n criptogr\u00e1fica, utilizando el \u0027struct ufs_hba::crypto_profile\u0027 reci\u00e9n publicado. Esto provoca una situaci\u00f3n de use after free: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() para registrar una acci\u00f3n devres para limpiar autom\u00e1ticamente el dispositivo SCSI subyacente en la destrucci\u00f3n de ufshcd, sin requerir llamadas expl\u00edcitas a ufshcd_dealloc_host(). De esta manera: * el perfil criptogr\u00e1fico y todos los dem\u00e1s recursos propiedad de ufs_hba se destruyen antes de SCSI (ya que se registraron despu\u00e9s) * se conecta una fuga de memoria en tc-dwc-g210-pci.c remove() como efecto secundario * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) se puede eliminar por completo ya que ya no es necesario * ning\u00fan controlador futuro que use ufshcd_alloc_host() podr\u00eda olvidarse de agregar la depuraci\u00f3n \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12\",\"versionEndExcluding\":\"6.12.14\",\"matchCriteriaId\":\"03E58B14-5ED8-473D-BB8E-CB847D6B7FC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.3\",\"matchCriteriaId\":\"0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21739\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:14:30.354249Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:14:31.582Z\"}}], \"cna\": {\"title\": \"scsi: ufs: core: Fix use-after free in init error and remove paths\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350\", \"lessThan\": \"0c77c0d754fe83cb154715fcfec6c3faef94f207\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350\", \"lessThan\": \"9c185beae09a3eb85f54777edafa227f7e03075d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350\", \"lessThan\": \"f8fb2403ddebb5eea0033d90d9daae4c88749ada\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/ufs/core/ufshcd.c\", \"drivers/ufs/host/ufshcd-pci.c\", \"drivers/ufs/host/ufshcd-pltfrm.c\", \"include/ufs/ufshcd.h\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.12.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/ufs/core/ufshcd.c\", \"drivers/ufs/host/ufshcd-pci.c\", \"drivers/ufs/host/ufshcd-pltfrm.c\", \"include/ufs/ufshcd.h\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207\"}, {\"url\": \"https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d\"}, {\"url\": \"https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: core: Fix use-after free in init error and remove paths\\n\\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\\nthe associated (platform-) device is being released. For UFS, the\\ncrypto private data and pointers are stored as part of the ufs_hba\u0027s\\ndata structure \u0027struct ufs_hba::crypto_profile\u0027. This structure is\\nallocated as part of the underlying ufshcd and therefore Scsi_host\\nallocation.\\n\\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\\nthis structure is released as part of ufshcd_dealloc_host() before the\\n(platform-) device associated with the crypto call above is released.\\nOnce this device is released, the crypto cleanup code will run, using\\nthe just-released \u0027struct ufs_hba::crypto_profile\u0027. This causes a\\nuse-after-free situation:\\n\\n  Call trace:\\n   kfree+0x60/0x2d8 (P)\\n   kvfree+0x44/0x60\\n   blk_crypto_profile_destroy_callback+0x28/0x70\\n   devm_action_release+0x1c/0x30\\n   release_nodes+0x6c/0x108\\n   devres_release_all+0x98/0x100\\n   device_unbind_cleanup+0x20/0x70\\n   really_probe+0x218/0x2d0\\n\\nIn other words, the initialisation code flow is:\\n\\n  platform-device probe\\n    ufshcd_pltfrm_init()\\n      ufshcd_alloc_host()\\n        scsi_host_alloc()\\n          allocation of struct ufs_hba\\n          creation of scsi-host devices\\n    devm_blk_crypto_profile_init()\\n      devm registration of cleanup handler using platform-device\\n\\nand during error handling of ufshcd_pltfrm_init() or during driver\\nremoval:\\n\\n  ufshcd_dealloc_host()\\n    scsi_host_put()\\n      put_device(scsi-host)\\n        release of struct ufs_hba\\n  put_device(platform-device)\\n    crypto cleanup handler\\n\\nTo fix this use-after free, change ufshcd_alloc_host() to register a\\ndevres action to automatically cleanup the underlying SCSI device on\\nufshcd destruction, without requiring explicit calls to\\nufshcd_dealloc_host(). This way:\\n\\n    * the crypto profile and all other ufs_hba-owned resources are\\n      destroyed before SCSI (as they\u0027ve been registered after)\\n    * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\\n      side-effect\\n    * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\\n      it\u0027s not needed anymore\\n    * no future drivers using ufshcd_alloc_host() could ever forget\\n      adding the cleanup\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-03-24T15:39:37.656Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21739\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-24T15:39:37.656Z\", \"dateReserved\": \"2024-12-29T08:45:45.757Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-27T02:12:14.581Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.