Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21812

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/02/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: rcu protect dev-&gt;ax25_ptr<br /> <br /> syzbot found a lockdep issue [1].<br /> <br /> We should remove ax25 RTNL dependency in ax25_setsockopt()<br /> <br /> This should also fix a variety of possible UAF in ax25.<br /> <br /> [1]<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted<br /> ------------------------------------------------------<br /> syz.5.1818/12806 is trying to acquire lock:<br /> ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680<br /> <br /> but task is already holding lock:<br /> ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]<br /> ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (sk_lock-AF_AX25){+.+.}-{0:0}:<br /> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849<br /> lock_sock_nested+0x48/0x100 net/core/sock.c:3642<br /> lock_sock include/net/sock.h:1618 [inline]<br /> ax25_kill_by_device net/ax25/af_ax25.c:101 [inline]<br /> ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146<br /> notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85<br /> __dev_notify_flags+0x207/0x400<br /> dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026<br /> dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563<br /> dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820<br /> sock_do_ioctl+0x240/0x460 net/socket.c:1234<br /> sock_ioctl+0x626/0x8e0 net/socket.c:1339<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> -&gt; #0 (rtnl_mutex){+.+.}-{4:4}:<br /> check_prev_add kernel/locking/lockdep.c:3161 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3280 [inline]<br /> validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904<br /> __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226<br /> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849<br /> __mutex_lock_common kernel/locking/mutex.c:585 [inline]<br /> __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735<br /> ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680<br /> do_sock_setsockopt+0x3af/0x720 net/socket.c:2324<br /> __sys_setsockopt net/socket.c:2349 [inline]<br /> __do_sys_setsockopt net/socket.c:2355 [inline]<br /> __se_sys_setsockopt net/socket.c:2352 [inline]<br /> __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> other info that might help us debug this:<br /> <br /> Possible unsafe locking scenario:<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> lock(sk_lock-AF_AX25);<br /> lock(rtnl_mutex);<br /> lock(sk_lock-AF_AX25);<br /> lock(rtnl_mutex);<br /> <br /> *** DEADLOCK ***<br /> <br /> 1 lock held by syz.5.1818/12806:<br /> #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]<br /> #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574<br /> <br /> stack backtrace:<br /> CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074<br /> check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206<br /> check_prev_add kernel/locking/lockdep.c:3161 [inline]<br /> check_prevs_add kernel/lockin<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.18.132 (including) 3.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.4.170 (including) 4.5 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9.149 (including) 4.10 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14.92 (including) 4.15 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.14 (including) 4.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20.1 (including) 6.1.129 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.76 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools