CVE-2025-21731
27.02.2025, 02:15
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect
Following process can cause nbd_config UAF:
1) grab nbd_config temporarily;
2) nbd_genl_disconnect() flush all recv_work() and release the
initial reference:
nbd_genl_disconnect
nbd_disconnect_and_put
nbd_disconnect
flush_workqueue(nbd->recv_workq)
if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
nbd_config_put
-> due to step 1), reference is still not zero
3) nbd_genl_reconfigure() queue recv_work() again;
nbd_genl_reconfigure
config = nbd_get_config_unlocked(nbd)
if (!config)
-> succeed
if (!test_bit(NBD_RT_BOUND, ...))
-> succeed
nbd_reconnect_socket
queue_work(nbd->recv_workq, &args->work)
4) step 1) release the reference;
5) Finially, recv_work() will trigger UAF:
recv_work
nbd_config_put(nbd)
-> nbd_config is freed
atomic_dec(&config->recv_threads)
-> UAF
Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
that nbd_genl_reconfigure() will fail.Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 4.12 ≤ 𝑥 < 5.4.291 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.235 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.179 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.129 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.76 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.13 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.2 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References