CVE-2025-40070
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/10/2025
Última modificación:
30/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
pps: fix warning in pps_register_cdev when register device fail<br />
<br />
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error<br />
handling in __video_register_device()"), the release hook should be set<br />
before device_register(). Otherwise, when device_register() return error<br />
and put_device() try to callback the release function, the below warning<br />
may happen.<br />
<br />
------------[ cut here ]------------<br />
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567<br />
Modules linked in:<br />
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE<br />
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567<br />
Call Trace:<br />
<br />
kobject_cleanup+0x136/0x410 lib/kobject.c:689<br />
kobject_release lib/kobject.c:720 [inline]<br />
kref_put include/linux/kref.h:65 [inline]<br />
kobject_put+0xe9/0x130 lib/kobject.c:737<br />
put_device+0x24/0x30 drivers/base/core.c:3797<br />
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402<br />
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108<br />
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57<br />
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432<br />
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563<br />
tiocsetd drivers/tty/tty_io.c:2429 [inline]<br />
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:598 [inline]<br />
__se_sys_ioctl fs/ioctl.c:584 [inline]<br />
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
<br />
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),<br />
pps_register_cdev() call device_create() to create pps->dev, which will<br />
init dev->release to device_create_release(). Now the comment is outdated,<br />
just remove it.<br />
<br />
Thanks for the reminder from Calvin Owens, &#39;kfree_pps&#39; should be removed<br />
in pps_register_source() to avoid a double free in the failure case.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a
- https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c
- https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51
- https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320
- https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8
- https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d
- https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e
- https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234