Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21642

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
19/01/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: sysctl: sched: avoid using current-&gt;nsproxy<br /> <br /> Using the &amp;#39;net&amp;#39; structure via &amp;#39;current&amp;#39; is not recommended for different<br /> reasons.<br /> <br /> First, if the goal is to use it to read or write per-netns data, this is<br /> inconsistent with how the "generic" sysctl entries are doing: directly<br /> by only using pointers set to the table entry, e.g. table-&gt;data. Linked<br /> to that, the per-netns data should always be obtained from the table<br /> linked to the netns it had been created for, which may not coincide with<br /> the reader&amp;#39;s or writer&amp;#39;s netns.<br /> <br /> Another reason is that access to current-&gt;nsproxy-&gt;netns can oops if<br /> attempted when current-&gt;nsproxy had been dropped when the current task<br /> is exiting. This is what syzbot found, when using acct(2):<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125<br /> Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00<br /> RSP: 0018:ffffc900034774e8 EFLAGS: 00010206<br /> <br /> RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620<br /> RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028<br /> RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040<br /> R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000<br /> R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000<br /> FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601<br /> __kernel_write_iter+0x318/0xa80 fs/read_write.c:612<br /> __kernel_write+0xf6/0x140 fs/read_write.c:632<br /> do_acct_process+0xcb0/0x14a0 kernel/acct.c:539<br /> acct_pin_kill+0x2d/0x100 kernel/acct.c:192<br /> pin_kill+0x194/0x7c0 fs/fs_pin.c:44<br /> mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81<br /> cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366<br /> task_work_run+0x14e/0x250 kernel/task_work.c:239<br /> exit_task_work include/linux/task_work.h:43 [inline]<br /> do_exit+0xad8/0x2d70 kernel/exit.c:938<br /> do_group_exit+0xd3/0x2a0 kernel/exit.c:1087<br /> get_signal+0x2576/0x2610 kernel/signal.c:3017<br /> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337<br /> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]<br /> exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]<br /> syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218<br /> do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fee3cb87a6a<br /> Code: Unable to access opcode bytes at 0x7fee3cb87a40.<br /> RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037<br /> RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a<br /> RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003<br /> RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7<br /> R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500<br /> R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125<br /> Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.31 (including) 6.6.72 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8.10 (including) 6.12.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools