Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22085

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
16/04/2025
Last modified:
25/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Fix use-after-free when rename device name<br /> <br /> Syzbot reported a slab-use-after-free with the following call trace:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099<br /> Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025<br /> <br /> CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988<br /> Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0<br /> Hardware name: Google Compute Engine, BIOS Google 02/12/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:408 [inline]<br /> print_report+0x16e/0x5b0 mm/kasan/report.c:521<br /> kasan_report+0x143/0x180 mm/kasan/report.c:634<br /> kasan_check_range+0x282/0x290 mm/kasan/generic.c:189<br /> __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105<br /> nla_put+0xd3/0x150 lib/nlattr.c:1099<br /> nla_put_string include/net/netlink.h:1621 [inline]<br /> fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265<br /> rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857<br /> ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344<br /> ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460<br /> rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540<br /> rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550<br /> rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212<br /> nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795<br /> rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]<br /> rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339<br /> netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883<br /> sock_sendmsg_nosec net/socket.c:709 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:724<br /> ____sys_sendmsg+0x53a/0x860 net/socket.c:2564<br /> ___sys_sendmsg net/socket.c:2618 [inline]<br /> __sys_sendmsg+0x269/0x350 net/socket.c:2650<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f42d1b8d169<br /> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...<br /> RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169<br /> RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c<br /> RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8<br /> <br /> <br /> Allocated by task 10025:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __do_kmalloc_node mm/slub.c:4294 [inline]<br /> __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313<br /> __kmemdup_nul mm/util.c:61 [inline]<br /> kstrdup+0x42/0x100 mm/util.c:81<br /> kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274<br /> dev_set_name+0xd5/0x120 drivers/base/core.c:3468<br /> assign_name drivers/infiniband/core/device.c:1202 [inline]<br /> ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384<br /> rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540<br /> rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550<br /> rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212<br /> nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795<br /> rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]<br /> rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339<br /> netlink_sendmsg+0x8de/0xcb0 net<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools