ghsa-vh9v-7rrm-mm8x
Vulnerability from github
Published
2025-07-03 09:30
Modified
2025-07-03 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()

syzbot reports:

BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304

CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfxiouring_show_fdinfo+0x10/0x10 ? pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfxhandlemm_fault+0x10/0x10 ? pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30

Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)

which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread.

Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38106"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()\n\nsyzbot reports:\n\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\n\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xd0/0x670\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? getrusage+0x1109/0x1a60\n kasan_report+0xce/0x100\n ? getrusage+0x1109/0x1a60\n getrusage+0x1109/0x1a60\n ? __pfx_getrusage+0x10/0x10\n __io_uring_show_fdinfo+0x9fe/0x1790\n ? ksys_read+0xf7/0x1c0\n ? do_syscall_64+0xa4/0x260\n ? vsnprintf+0x591/0x1100\n ? __pfx___io_uring_show_fdinfo+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n ? mutex_trylock+0xcf/0x130\n ? __pfx_mutex_trylock+0x10/0x10\n ? __pfx_show_fd_locks+0x10/0x10\n ? io_uring_show_fdinfo+0x57/0x80\n io_uring_show_fdinfo+0x57/0x80\n seq_show+0x38c/0x690\n seq_read_iter+0x3f7/0x1180\n ? inode_set_ctime_current+0x160/0x4b0\n seq_read+0x271/0x3e0\n ? __pfx_seq_read+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __mark_inode_dirty+0x402/0x810\n ? selinux_file_permission+0x368/0x500\n ? file_update_time+0x10f/0x160\n vfs_read+0x177/0xa40\n ? __pfx___handle_mm_fault+0x10/0x10\n ? __pfx_vfs_read+0x10/0x10\n ? mutex_lock+0x81/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ? fdget_pos+0x24d/0x4b0\n ksys_read+0xf7/0x1c0\n ? __pfx_ksys_read+0x10/0x10\n ? do_user_addr_fault+0x43b/0x9c0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_node_noprof+0xe8/0x330\n copy_process+0x376/0x5e00\n create_io_thread+0xab/0xf0\n io_sq_offload_create+0x9ed/0xf20\n io_uring_setup+0x12b0/0x1cc0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 22:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0xc4/0x360\n rcu_core+0x5ff/0x19f0\n handle_softirqs+0x18c/0x530\n run_ksoftirqd+0x20/0x30\n smpboot_thread_fn+0x287/0x6c0\n kthread+0x30d/0x630\n ret_from_fork+0xef/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n kasan_record_aux_stack+0x8c/0xa0\n __call_rcu_common.constprop.0+0x68/0x940\n __schedule+0xff2/0x2930\n __cond_resched+0x4c/0x80\n mutex_lock+0x5c/0xe0\n io_uring_del_tctx_node+0xe1/0x2b0\n io_uring_clean_tctx+0xb7/0x160\n io_uring_cancel_generic+0x34e/0x760\n do_exit+0x240/0x2350\n do_group_exit+0xab/0x220\n __x64_sys_exit_group+0x39/0x40\n x64_sys_call+0x1243/0x1840\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe buggy address belongs to the object at ffff88810de2cb00\n which belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\n freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\n\nwhich is caused by the task_struct pointed to by sq-\u003ethread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx-\u003euring_lock does not prevent ehre\nrelase or exit of sq-\u003ethread.\n\nFix this by assigning and looking up -\u003ethread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---",
  "id": "GHSA-vh9v-7rrm-mm8x",
  "modified": "2025-07-03T09:30:33Z",
  "published": "2025-07-03T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38106"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac0b8b327a5677dc6fecdf353d808161525b1ff0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af8c13f9ee040b9a287ba246cf0055f7c77b7cc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0932758a0a77b38ba1b39564f3b7aba12407061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.