CVE-2025-21727 (GCVE-0-2025-21727)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 07:19
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccdPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7dePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6Patch
Impacted products
Vendor Product Version
Linux Linux Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
Version: b128a30409356df65f1a51cff3eb986cac8cfedc
 Create a notification for this product.
   Linux Linux Version: 5.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:06.104597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:27.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            },
            {
              "lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
              "status": "affected",
              "version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:52.256Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
        },
        {
          "url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
        },
        {
          "url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
        },
        {
          "url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
        }
      ],
      "title": "padata: fix UAF in padata_reorder",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21727",
    "datePublished": "2025-02-27T02:07:33.501Z",
    "dateReserved": "2024-12-29T08:45:45.754Z",
    "dateUpdated": "2025-05-04T07:19:52.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21727\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T02:15:16.423\",\"lastModified\":\"2025-03-24T18:58:02.740\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: fix UAF in padata_reorder\\n\\nA bug was found when run ltp test:\\n\\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\\n\\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\\nWorkqueue: pdecrypt_parallel padata_parallel_worker\\nCall Trace:\\n\u003cTASK\u003e\\ndump_stack_lvl+0x32/0x50\\nprint_address_description.constprop.0+0x6b/0x3d0\\nprint_report+0xdd/0x2c0\\nkasan_report+0xa5/0xd0\\npadata_find_next+0x29/0x1a0\\npadata_reorder+0x131/0x220\\npadata_parallel_worker+0x3d/0xc0\\nprocess_one_work+0x2ec/0x5a0\\n\\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\\nltp test (pcrypt_aead01).\\n\\nThis can be explained as bellow:\\n\\npcrypt_aead_encrypt\\n...\\npadata_do_parallel\\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\\n...\\npadata_do_serial\\npadata_reorder // pd\\nwhile (1) {\\npadata_find_next(pd, true); // using pd\\nqueue_work_on\\n...\\npadata_serial_worker\\t\\t\\t\\tcrypto_del_alg\\npadata_put_pd_cnt // sub refcnt\\n\\t\\t\\t\\t\\t\\tpadata_free_shell\\n\\t\\t\\t\\t\\t\\tpadata_put_pd(ps-\u003epd);\\n\\t\\t\\t\\t\\t\\t// pd is freed\\n// loop again, but pd is freed\\n// call padata_find_next, UAF\\n}\\n\\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\\ndeleted, the refcnt may be decreased to 0 before entering\\n\u0027padata_find_next\u0027, which leads to UAF.\\n\\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\\nand always happen under RCU protection, to address this issue, add\\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\\nto finish.\\n\\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: correcci\u00f3n de UAF en padata_reorder Se encontr\u00f3 un error al ejecutar la prueba ltp: ERROR: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:  dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the \u0027padata_reorder\u0027 function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(\u0026amp;pd-\u0026gt;refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps-\u0026gt;pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } En la funci\u00f3n padata_reorder, cuando se repite en \u0027while\u0027, si se elimina el alg, el refcnt puede disminuirse a 0 antes de ingresar a \u0027padata_find_next\u0027, lo que lleva a UAF. Como se mencion\u00f3 en [1], se supone que do_serial se debe llamar con los BH deshabilitados y siempre ocurre bajo la protecci\u00f3n de RCU, para abordar este problema, agreguesynchronous_rcu() en \u0027padata_free_shell\u0027 y espere a que finalicen todas las llamadas a _do_serial. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.10.235\",\"matchCriteriaId\":\"5FEF389E-870E-4BCB-A3FF-0B8042738CF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.179\",\"matchCriteriaId\":\"C708062C-4E1B-465F-AE6D-C09C46400875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.129\",\"matchCriteriaId\":\"2DA5009C-C9B9-4A1D-9B96-78427E8F232C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.76\",\"matchCriteriaId\":\"A6D70701-9CB6-4222-A957-00A419878993\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.13\",\"matchCriteriaId\":\"2897389C-A8C3-4D69-90F2-E701B3D66373\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.2\",\"matchCriteriaId\":\"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T17:58:06.104597Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T17:58:07.900Z\"}}], \"cna\": {\"title\": \"padata: fix UAF in padata_reorder\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"f78170bee51469734b1a306a74fc5f777bb22ba6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"f3e0b9f790f8e8065d59e67b565a83154d9f3079\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"573ac9c70bf7885dc85d82fa44550581bfc3b738\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"80231f069240d52e98b6a317456c67b2eafd0781\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b128a30409356df65f1a51cff3eb986cac8cfedc\", \"lessThan\": \"e01780ea4661172734118d2a5f41bc9720765668\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/padata.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.4\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.4\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.235\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.179\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.129\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.76\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/padata.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6\"}, {\"url\": \"https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079\"}, {\"url\": \"https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd\"}, {\"url\": \"https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de\"}, {\"url\": \"https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738\"}, {\"url\": \"https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781\"}, {\"url\": \"https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npadata: fix UAF in padata_reorder\\n\\nA bug was found when run ltp test:\\n\\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\\n\\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\\nWorkqueue: pdecrypt_parallel padata_parallel_worker\\nCall Trace:\\n\u003cTASK\u003e\\ndump_stack_lvl+0x32/0x50\\nprint_address_description.constprop.0+0x6b/0x3d0\\nprint_report+0xdd/0x2c0\\nkasan_report+0xa5/0xd0\\npadata_find_next+0x29/0x1a0\\npadata_reorder+0x131/0x220\\npadata_parallel_worker+0x3d/0xc0\\nprocess_one_work+0x2ec/0x5a0\\n\\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\\nltp test (pcrypt_aead01).\\n\\nThis can be explained as bellow:\\n\\npcrypt_aead_encrypt\\n...\\npadata_do_parallel\\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\\n...\\npadata_do_serial\\npadata_reorder // pd\\nwhile (1) {\\npadata_find_next(pd, true); // using pd\\nqueue_work_on\\n...\\npadata_serial_worker\\t\\t\\t\\tcrypto_del_alg\\npadata_put_pd_cnt // sub refcnt\\n\\t\\t\\t\\t\\t\\tpadata_free_shell\\n\\t\\t\\t\\t\\t\\tpadata_put_pd(ps-\u003epd);\\n\\t\\t\\t\\t\\t\\t// pd is freed\\n// loop again, but pd is freed\\n// call padata_find_next, UAF\\n}\\n\\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\\ndeleted, the refcnt may be decreased to 0 before entering\\n\u0027padata_find_next\u0027, which leads to UAF.\\n\\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\\nand always happen under RCU protection, to address this issue, add\\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\\nto finish.\\n\\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-03-24T15:39:25.612Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-24T15:39:25.612Z\", \"dateReserved\": \"2024-12-29T08:45:45.754Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-27T02:07:33.501Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.