CVE-2025-21712
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
07/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime<br />
<br />
After commit ec6bb299c7c3 ("md/md-bitmap: add &#39;sync_size&#39; into struct<br />
md_bitmap_stats"), following panic is reported:<br />
<br />
Oops: general protection fault, probably for non-canonical address<br />
RIP: 0010:bitmap_get_stats+0x2b/0xa0<br />
Call Trace:<br />
<br />
md_seq_show+0x2d2/0x5b0<br />
seq_read_iter+0x2b9/0x470<br />
seq_read+0x12f/0x180<br />
proc_reg_read+0x57/0xb0<br />
vfs_read+0xf6/0x380<br />
ksys_read+0x6c/0xf0<br />
do_syscall_64+0x82/0x170<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
Root cause is that bitmap_get_stats() can be called at anytime if mddev<br />
is still there, even if bitmap is destroyed, or not fully initialized.<br />
Deferenceing bitmap in this case can crash the kernel. Meanwhile, the<br />
above commit start to deferencing bitmap->storage, make the problem<br />
easier to trigger.<br />
<br />
Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/032fa54f486eac5507976e7e31f079a767bc13a8
- https://git.kernel.org/stable/c/237e19519c8ff6949f0ef57c4a0243f5b2b0fa18
- https://git.kernel.org/stable/c/4e9316eee3885bfb311b4759513f2ccf37891c09
- https://git.kernel.org/stable/c/52848a095b55a302af92f52ca0de5b3112059bb8
- https://git.kernel.org/stable/c/8d28d0ddb986f56920ac97ae704cc3340a699a30