CVE-2025-71099
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl()
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 < c6d30b65b7a44dac52ad49513268adbf19eab4a2 | affected |
| Linux | Linux | cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 < 7cdb9a9da935c687563cc682155461fef5f9b48d | affected |
| Linux | Linux | cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 < dcb171931954c51a1a7250d558f02b8f36570783 | affected |
| Linux | Linux | 6.11 | affected |
| Linux | Linux | 0 < 6.11 | unaffected |
| Linux | Linux | 6.12.64 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.4 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2
- https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d
- https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.