CVE-2025-68372
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config put in recv_work
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear
- reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 198aa230a6f8c1f6af7ed26b29180749c3e79e4d | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < d3ba312675911ff9e3fefefd551751e153a9f0a9 | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 3692884bd6187d89d41eef81e5a9724519fd01c1 | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509 | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 6b69593f72e1bfba6ca47ca8d9b619341fded7d6 | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 443a1721806b6ff6303b5229e9811d68172d622f | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 742012f6bf29553fdc460bf646a58df3a7b43d01 | affected |
| Linux | Linux | 87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 9517b82d8d422d426a988b213fdd45c6b417b86d | affected |
| Linux | Linux | 0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 | affected |
| Linux | Linux | 2ef6f4bd60411934e3fc2715442c2afe70f84bf3 | affected |
| Linux | Linux | 742fd49cf811ca164489e339b862e3fb8e240a73 | affected |
| Linux | Linux | 14df8724aeeef338172e2a2d6efadc989921ca0f | affected |
| Linux | Linux | 4.14.204 < 4.15 | affected |
| Linux | Linux | 4.19.155 < 4.20 | affected |
| Linux | Linux | 5.4.75 < 5.5 | affected |
| Linux | Linux | 5.9.5 < 5.10 | affected |
| Linux | Linux | 5.10 | affected |
| Linux | Linux | 0 < 5.10 | unaffected |
| Linux | Linux | 5.10.248 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.198 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.63 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.13 <= 6.17.* | unaffected |
| Linux | Linux | 6.18.2 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/198aa230a6f8c1f6af7ed26b29180749c3e79e4d
- https://git.kernel.org/stable/c/d3ba312675911ff9e3fefefd551751e153a9f0a9
- https://git.kernel.org/stable/c/3692884bd6187d89d41eef81e5a9724519fd01c1
- https://git.kernel.org/stable/c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509
- https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6
- https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f
- https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01
- https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.