ghsa-4gxw-5w55-6f5h
Vulnerability from github
Published
2025-02-27 03:34
Modified
2025-03-13 15:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

padata: avoid UAF for reorder_work

Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below:

crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... }

            padata_do_serial
              // new request added
              list_add
// sees the new request
queue_work(reorder_work)
              padata_reorder
                queue_work_on(squeue->work)

...

            <kworker context>
            padata_serial_worker
            // completes new request,
            // no more outstanding
            // requests

                        crypto_del_alg
                          // free pd

invoke_padata_reorder // UAF of pd

To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:16Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: avoid UAF for reorder_work\n\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\n\ncrypto_request\t\t\tcrypto_request\t\tcrypto_del_alg\npadata_do_serial\n  ...\n  padata_reorder\n    // processes all remaining\n    // requests then breaks\n    while (1) {\n      if (!padata)\n        break;\n      ...\n    }\n\n\t\t\t\tpadata_do_serial\n\t\t\t\t  // new request added\n\t\t\t\t  list_add\n    // sees the new request\n    queue_work(reorder_work)\n\t\t\t\t  padata_reorder\n\t\t\t\t    queue_work_on(squeue-\u003ework)\n...\n\n\t\t\t\t\u003ckworker context\u003e\n\t\t\t\tpadata_serial_worker\n\t\t\t\t// completes new request,\n\t\t\t\t// no more outstanding\n\t\t\t\t// requests\n\n\t\t\t\t\t\t\tcrypto_del_alg\n\t\t\t\t\t\t\t  // free pd\n\n\u003ckworker context\u003e\ninvoke_padata_reorder\n  // UAF of pd\n\nTo avoid UAF for \u0027reorder_work\u0027, get \u0027pd\u0027 ref before put \u0027reorder_work\u0027\ninto the \u0027serial_wq\u0027 and put \u0027pd\u0027 ref until the \u0027serial_wq\u0027 finish.",
  "id": "GHSA-4gxw-5w55-6f5h",
  "modified": "2025-03-13T15:32:48Z",
  "published": "2025-02-27T03:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21726"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.