CVE-2025-22072 (GCVE-0-2025-22072)
Vulnerability from cvelistv5
Published
2025-04-16 14:12
Modified
2025-05-26 05:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: spufs: fix gang directory lifetimes prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and kept it alive until the gang got closed, removal failed and we ended up with a leak. Unfortunately, it had been fixed the wrong way. Dentry of gang directory was no longer pinned, and rmdir on close was gone. One problem was that failure of open kept calling simple_rmdir() as cleanup, which meant an unbalanced dput(). Another bug was in the success case - gang creation incremented link count on root directory, but that was no longer undone when gang got destroyed. Fix consists of * reverting the commit in question * adding a counter to gang, protected by ->i_rwsem of gang directory inode. * having it set to 1 at creation time, dropped in both spufs_dir_close() and spufs_gang_close() and bumped in spufs_create_context(), provided that it's not 0. * using simple_recursive_removal() to take the gang directory out when counter reaches zero.
References
Impacted products
Vendor Product Version
Linux Linux Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
Version: 877907d37da9694a34adc9dc3e2ce09400148cb5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/platforms/cell/spufs/gang.c",
            "arch/powerpc/platforms/cell/spufs/inode.c",
            "arch/powerpc/platforms/cell/spufs/spufs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "880e7b3da2e765c1f90c94c0539be039e96c7062",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            },
            {
              "lessThan": "324f280806aab28ef757aecc18df419676c10ef8",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            },
            {
              "lessThan": "029d8c711f5e5fe8cf63e8a4a1a140a06e224e45",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            },
            {
              "lessThan": "903733782f3ae28a2f7fe4dfb47c7fe3e079a528",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            },
            {
              "lessThan": "fc646a6c6d14b5d581f162a7e32999f789e3a3ac",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            },
            {
              "lessThan": "c134deabf4784e155d360744d4a6a835b9de4dd4",
              "status": "affected",
              "version": "877907d37da9694a34adc9dc3e2ce09400148cb5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/platforms/cell/spufs/gang.c",
            "arch/powerpc/platforms/cell/spufs/inode.c",
            "arch/powerpc/platforms/cell/spufs/spufs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix gang directory lifetimes\n\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\n\nUnfortunately, it had been fixed the wrong way.  Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput().  Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\n\nFix consists of\n\t* reverting the commit in question\n\t* adding a counter to gang, protected by -\u003ei_rwsem\nof gang directory inode.\n\t* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it\u0027s not 0.\n\t* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:51.679Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062"
        },
        {
          "url": "https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8"
        },
        {
          "url": "https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45"
        },
        {
          "url": "https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4"
        }
      ],
      "title": "spufs: fix gang directory lifetimes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22072",
    "datePublished": "2025-04-16T14:12:24.571Z",
    "dateReserved": "2024-12-29T08:45:45.814Z",
    "dateUpdated": "2025-05-26T05:17:51.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22072\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:01.390\",\"lastModified\":\"2025-04-17T20:22:16.240\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspufs: fix gang directory lifetimes\\n\\nprior to \\\"[POWERPC] spufs: Fix gang destroy leaks\\\" we used to have\\na problem with gang lifetimes - creation of a gang returns opened\\ngang directory, which normally gets removed when that gets closed,\\nbut if somebody has created a context belonging to that gang and\\nkept it alive until the gang got closed, removal failed and we\\nended up with a leak.\\n\\nUnfortunately, it had been fixed the wrong way.  Dentry of gang\\ndirectory was no longer pinned, and rmdir on close was gone.\\nOne problem was that failure of open kept calling simple_rmdir()\\nas cleanup, which meant an unbalanced dput().  Another bug was\\nin the success case - gang creation incremented link count on\\nroot directory, but that was no longer undone when gang got\\ndestroyed.\\n\\nFix consists of\\n\\t* reverting the commit in question\\n\\t* adding a counter to gang, protected by -\u003ei_rwsem\\nof gang directory inode.\\n\\t* having it set to 1 at creation time, dropped\\nin both spufs_dir_close() and spufs_gang_close() and bumped\\nin spufs_create_context(), provided that it\u0027s not 0.\\n\\t* using simple_recursive_removal() to take the gang\\ndirectory out when counter reaches zero.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spufs: corrige la duraci\u00f3n del directorio de pandillas. Antes de \\\"[POWERPC] spufs: corrige las fugas de destrucci\u00f3n de pandillas\\\", ten\u00edamos un problema con la duraci\u00f3n de las pandillas: al crear una pandilla, se devolv\u00eda el directorio de pandillas abierto, que normalmente se elimina al cerrarse. Sin embargo, si alguien creaba un contexto perteneciente a esa pandilla y lo manten\u00eda activo hasta que se cerraba, la eliminaci\u00f3n fallaba y se produc\u00eda una fuga. Desafortunadamente, se solucion\u00f3 incorrectamente. La dentry del directorio de pandillas ya no estaba fijada y rmdir al cerrar se hab\u00eda eliminado. Un problema era que, al fallar la apertura, se segu\u00eda llamando a simple_rmdir() como limpieza, lo que implicaba un dput() desequilibrado. Otro error, en el caso de \u00e9xito, era que la creaci\u00f3n de una pandilla incrementaba el n\u00famero de enlaces en el directorio ra\u00edz, pero esto ya no se deshac\u00eda al destruirla. La soluci\u00f3n consiste en: * revertir el commit en cuesti\u00f3n * a\u00f1adir un contador a la pandilla, protegido por -\u0026gt;i_rwsem del inodo del directorio de pandillas. * tenerlo establecido en 1 en el momento de la creaci\u00f3n, descartado tanto en spufs_dir_close() como en spufs_gang_close() y agregado en spufs_create_context(), siempre que no sea 0. * usar simple_recursive_removal() para sacar el directorio de pandillas cuando el contador llega a cero.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/029d8c711f5e5fe8cf63e8a4a1a140a06e224e45\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/324f280806aab28ef757aecc18df419676c10ef8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/880e7b3da2e765c1f90c94c0539be039e96c7062\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/903733782f3ae28a2f7fe4dfb47c7fe3e079a528\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c134deabf4784e155d360744d4a6a835b9de4dd4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fc646a6c6d14b5d581f162a7e32999f789e3a3ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.