Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21727

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: fix UAF in padata_reorder<br /> <br /> A bug was found when run ltp test:<br /> <br /> BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0<br /> Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206<br /> <br /> CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+<br /> Workqueue: pdecrypt_parallel padata_parallel_worker<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x32/0x50<br /> print_address_description.constprop.0+0x6b/0x3d0<br /> print_report+0xdd/0x2c0<br /> kasan_report+0xa5/0xd0<br /> padata_find_next+0x29/0x1a0<br /> padata_reorder+0x131/0x220<br /> padata_parallel_worker+0x3d/0xc0<br /> process_one_work+0x2ec/0x5a0<br /> <br /> If &amp;#39;mdelay(10)&amp;#39; is added before calling &amp;#39;padata_find_next&amp;#39; in the<br /> &amp;#39;padata_reorder&amp;#39; function, this issue could be reproduced easily with<br /> ltp test (pcrypt_aead01).<br /> <br /> This can be explained as bellow:<br /> <br /> pcrypt_aead_encrypt<br /> ...<br /> padata_do_parallel<br /> refcount_inc(&amp;pd-&gt;refcnt); // add refcnt<br /> ...<br /> padata_do_serial<br /> padata_reorder // pd<br /> while (1) {<br /> padata_find_next(pd, true); // using pd<br /> queue_work_on<br /> ...<br /> padata_serial_worker crypto_del_alg<br /> padata_put_pd_cnt // sub refcnt<br /> padata_free_shell<br /> padata_put_pd(ps-&gt;pd);<br /> // pd is freed<br /> // loop again, but pd is freed<br /> // call padata_find_next, UAF<br /> }<br /> <br /> In the padata_reorder function, when it loops in &amp;#39;while&amp;#39;, if the alg is<br /> deleted, the refcnt may be decreased to 0 before entering<br /> &amp;#39;padata_find_next&amp;#39;, which leads to UAF.<br /> <br /> As mentioned in [1], do_serial is supposed to be called with BHs disabled<br /> and always happen under RCU protection, to address this issue, add<br /> synchronize_rcu() in &amp;#39;padata_free_shell&amp;#39; wait for all _do_serial calls<br /> to finish.<br /> <br /> [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/<br /> [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4 (including) 5.10.235 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.179 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.129 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.76 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools