CVE-2025-21631
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
19/01/2025
Last modified:
10/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()<br />
<br />
Our syzkaller report a following UAF for v6.6:<br />
<br />
BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958<br />
Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726<br />
<br />
CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106<br />
print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364<br />
print_report+0x3e/0x70 mm/kasan/report.c:475<br />
kasan_report+0xb8/0xf0 mm/kasan/report.c:588<br />
hlist_add_head include/linux/list.h:1023 [inline]<br />
bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958<br />
bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271<br />
bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323<br />
blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660<br />
blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143<br />
__submit_bio+0xa0/0x6b0 block/blk-core.c:639<br />
__submit_bio_noacct_mq block/blk-core.c:718 [inline]<br />
submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747<br />
submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847<br />
__ext4_read_bh fs/ext4/super.c:205 [inline]<br />
ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230<br />
__read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567<br />
ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947<br />
ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182<br />
ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660<br />
ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569<br />
iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91<br />
iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80<br />
ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051<br />
ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220<br />
do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811<br />
__do_sys_ioctl fs/ioctl.c:869 [inline]<br />
__se_sys_ioctl+0xae/0x190 fs/ioctl.c:857<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81<br />
entry_SYSCALL_64_after_hwframe+0x78/0xe2<br />
<br />
Allocated by task 232719:<br />
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45<br />
kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br />
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328<br />
kasan_slab_alloc include/linux/kasan.h:188 [inline]<br />
slab_post_alloc_hook mm/slab.h:768 [inline]<br />
slab_alloc_node mm/slub.c:3492 [inline]<br />
kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537<br />
bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869<br />
bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776<br />
bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938<br />
bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271<br />
bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323<br />
blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660<br />
blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143<br />
__submit_bio+0xa0/0x6b0 block/blk-core.c:639<br />
__submit_bio_noacct_mq block/blk-core.c:718 [inline]<br />
submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747<br />
submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847<br />
__ext4_read_bh fs/ext4/super.c:205 [inline]<br />
ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217<br />
ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242<br />
ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958<br />
__ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671<br />
ext4_lookup_entry fs/ext4/namei.c:1774 [inline]<br />
ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842<br />
ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839<br />
__lookup_slow+0x257/0x480 fs/namei.c:1696<br />
lookup_slow fs/namei.c:1713 [inline]<br />
walk_component+0x454/0x5c0 fs/namei.c:2004<br />
link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331<br />
link_path_walk fs/namei.c:3826 [inline]<br />
path_openat+0x1b9/0x520 fs/namei.c:3826<br />
do_filp_open+0x1b7/0x400 fs/namei.c:3857<br />
do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428<br />
do_sys_open fs/open.c:1443 [inline]<br />
__do_sys_openat fs/open.c:1459 [inline]<br />
__se_sys_openat fs/open.c:1454 [inline]<br />
__x64_sys_openat+0x148/0x200 fs/open.c:1454<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_6<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.168 (including) | 5.15.177 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.113 (including) | 6.1.125 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.54 (including) | 6.6.72 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.10.13 (including) | 6.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.2 (including) | 6.12.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2550149fcdf2934155ff625d76ad4e3d4b25bbc6
- https://git.kernel.org/stable/c/bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed
- https://git.kernel.org/stable/c/be3eed59ac01f429ac10aaa46e26f653bcf581ab
- https://git.kernel.org/stable/c/f587c1ac68956c4703857d650d9b1cd7bb2ac4d7
- https://git.kernel.org/stable/c/fcede1f0a043ccefe9bc6ad57f12718e42f63f1d