CVE-2025-68735
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Prevent potential UAF in group creation
This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl.
To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet.
v2: Add R-bs and fixes tags
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | de85488138247d034eb3241840424a54d660926b < deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05 | affected |
| Linux | Linux | de85488138247d034eb3241840424a54d660926b < c646ebff3fa571e7ea974235286fb9ed3edc260c | affected |
| Linux | Linux | de85488138247d034eb3241840424a54d660926b < eec7e23d848d2194dd8791fcd0f4a54d4378eecd | affected |
| Linux | Linux | 6.10 | affected |
| Linux | Linux | 0 < 6.10 | unaffected |
| Linux | Linux | 6.17.13 <= 6.17.* | unaffected |
| Linux | Linux | 6.18.2 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05
- https://git.kernel.org/stable/c/c646ebff3fa571e7ea974235286fb9ed3edc260c
- https://git.kernel.org/stable/c/eec7e23d848d2194dd8791fcd0f4a54d4378eecd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.