Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21729

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion<br /> <br /> The rtwdev-&gt;scanning flag isn&amp;#39;t protected by mutex originally, so<br /> cancel_hw_scan can pass the condition, but suddenly hw_scan completion<br /> unset the flag and calls ieee80211_scan_completed() that will free<br /> local-&gt;hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and<br /> use-after-free. Fix it by moving the check condition to where<br /> protected by mutex.<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]<br /> CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE<br /> Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019<br /> Workqueue: events cfg80211_conn_work [cfg80211]<br /> RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]<br /> Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d<br /> RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206<br /> RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001<br /> RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089<br /> RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960<br /> R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0<br /> Call Trace:<br /> <br /> ? show_regs+0x61/0x73<br /> ? __die_body+0x20/0x73<br /> ? die_addr+0x4f/0x7b<br /> ? exc_general_protection+0x191/0x1db<br /> ? asm_exc_general_protection+0x27/0x30<br /> ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]<br /> ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]<br /> ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]<br /> ? do_raw_spin_lock+0x75/0xdb<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]<br /> ? _raw_spin_unlock+0xe/0x24<br /> ? __mutex_lock.constprop.0+0x40c/0x471<br /> ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]<br /> ? __mutex_lock_slowpath+0x13/0x1f<br /> ? mutex_lock+0xa2/0xdc<br /> ? __pfx_mutex_lock+0x10/0x10<br /> rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]<br /> rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]<br /> ieee80211_scan_cancel+0x468/0x4d0 [mac80211]<br /> ieee80211_prep_connection+0x858/0x899 [mac80211]<br /> ieee80211_mgd_auth+0xbea/0xdde [mac80211]<br /> ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]<br /> ? cfg80211_find_elem+0x15/0x29 [cfg80211]<br /> ? is_bss+0x1b7/0x1d7 [cfg80211]<br /> ieee80211_auth+0x18/0x27 [mac80211]<br /> cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]<br /> cfg80211_conn_do_work+0x410/0xb81 [cfg80211]<br /> ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]<br /> ? __kasan_check_read+0x11/0x1f<br /> ? psi_group_change+0x8bc/0x944<br /> ? __kasan_check_write+0x14/0x22<br /> ? mutex_lock+0x8e/0xdc<br /> ? __pfx_mutex_lock+0x10/0x10<br /> ? __pfx___radix_tree_lookup+0x10/0x10<br /> cfg80211_conn_work+0x245/0x34d [cfg80211]<br /> ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]<br /> ? update_cfs_rq_load_avg+0x3bc/0x3d7<br /> ? sched_clock_noinstr+0x9/0x1a<br /> ? sched_clock+0x10/0x24<br /> ? sched_clock_cpu+0x7e/0x42e<br /> ? newidle_balance+0x796/0x937<br /> ? __pfx_sched_clock_cpu+0x10/0x10<br /> ? __pfx_newidle_balance+0x10/0x10<br /> ? __kasan_check_read+0x11/0x1f<br /> ? psi_group_change+0x8bc/0x944<br /> ? _raw_spin_unlock+0xe/0x24<br /> ? raw_spin_rq_unlock+0x47/0x54<br /> ? raw_spin_rq_unlock_irq+0x9/0x1f<br /> ? finish_task_switch.isra.0+0x347/0x586<br /> ? __schedule+0x27bf/0x2892<br /> ? mutex_unlock+0x80/0xd0<br /> ? do_raw_spin_lock+0x75/0xdb<br /> ? __pfx___schedule+0x10/0x10<br /> process_scheduled_works+0x58c/0x821<br /> worker_thread+0x4c7/0x586<br /> ? __kasan_check_read+0x11/0x1f<br /> kthread+0x285/0x294<br /> ? __pfx_worker_thread+0x10/0x10<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x29/0x6f<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br />

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 6.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools