Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22089

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
16/04/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Don&amp;#39;t expose hw_counters outside of init net namespace<br /> <br /> Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs<br /> attributes") accidentally almost exposed hw counters to non-init net<br /> namespaces. It didn&amp;#39;t expose them fully, as an attempt to read any of<br /> those counters leads to a crash like this one:<br /> <br /> [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> [42021.814463] #PF: supervisor read access in kernel mode<br /> [42021.819549] #PF: error_code(0x0000) - not-present page<br /> [42021.824636] PGD 0 P4D 0<br /> [42021.827145] Oops: 0000 [#1] SMP PTI<br /> [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX<br /> [42021.841697] Hardware name: XXX<br /> [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]<br /> [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48<br /> [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287<br /> [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000<br /> [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0<br /> [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000<br /> [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530<br /> [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000<br /> [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000<br /> [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0<br /> [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [42021.949324] Call Trace:<br /> [42021.951756] <br /> [42021.953842] [] ? show_regs+0x64/0x70<br /> [42021.959030] [] ? __die+0x78/0xc0<br /> [42021.963874] [] ? page_fault_oops+0x2b5/0x3b0<br /> [42021.969749] [] ? exc_page_fault+0x1a2/0x3c0<br /> [42021.975549] [] ? asm_exc_page_fault+0x26/0x30<br /> [42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]<br /> [42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core]<br /> [42021.995438] [] dev_attr_show+0x1e/0x50<br /> [42022.000803] [] sysfs_kf_seq_show+0x81/0xe0<br /> [42022.006508] [] seq_read_iter+0xf4/0x410<br /> [42022.011954] [] vfs_read+0x16e/0x2f0<br /> [42022.017058] [] ksys_read+0x6e/0xe0<br /> [42022.022073] [] do_syscall_64+0x6a/0xa0<br /> [42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2<br /> <br /> The problem can be reproduced using the following steps:<br /> ip netns add foo<br /> ip netns exec foo bash<br /> cat /sys/class/infiniband/mlx4_0/hw_counters/*<br /> <br /> The panic occurs because of casting the device pointer into an<br /> ib_device pointer using container_of() in hw_stat_device_show() is<br /> wrong and leads to a memory corruption.<br /> <br /> However the real problem is that hw counters should never been exposed<br /> outside of the non-init net namespace.<br /> <br /> Fix this by saving the index of the corresponding attribute group<br /> (it might be 1 or 2 depending on the presence of driver-specific<br /> attributes) and zeroing the pointer to hw_counters group for compat<br /> devices during the initialization.<br /> <br /> With this fix applied hw_counters are not available in a non-init<br /> net namespace:<br /> find /sys/class/infiniband/mlx4_0/ -name hw_counters<br /> /sys/class/infiniband/mlx4_0/ports/1/hw_counters<br /> /sys/class/infiniband/mlx4_0/ports/2/hw_counters<br /> /sys/class/infiniband/mlx4_0/hw_counters<br /> <br /> ip netns add foo<br /> ip netns exec foo bash<br /> find /sys/class/infiniband/mlx4_0/ -name hw_counters

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.14 (including) 5.15.180 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.134 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.87 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools