CVE-2025-68735

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Prevent potential UAF in group creation

This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl.

To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet.

v2: Add R-bs and fixes tags

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxde85488138247d034eb3241840424a54d660926b < deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05affected
LinuxLinuxde85488138247d034eb3241840424a54d660926b < c646ebff3fa571e7ea974235286fb9ed3edc260caffected
LinuxLinuxde85488138247d034eb3241840424a54d660926b < eec7e23d848d2194dd8791fcd0f4a54d4378eecdaffected
LinuxLinux6.10affected
LinuxLinux0 < 6.10unaffected
LinuxLinux6.17.13 <= 6.17.*unaffected
LinuxLinux6.18.2 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References