CVE-2025-21729 (GCVE-0-2025-21729)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 07:19
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Impacted products
Vendor Product Version
Linux Linux Version: 895907779752606f6a4795abfc008509f8e38314
Version: 895907779752606f6a4795abfc008509f8e38314
Version: 895907779752606f6a4795abfc008509f8e38314
Create a notification for this product.
   Linux Linux Version: 5.18
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:34.158732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.958Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/mac80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2403cb3c235d5e339b580cc3a825493769fadca8",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            },
            {
              "lessThan": "5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            },
            {
              "lessThan": "ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c",
              "status": "affected",
              "version": "895907779752606f6a4795abfc008509f8e38314",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw89/mac80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev-\u003escanning flag isn\u0027t protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal-\u003ehw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G           OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n  \u003cTASK\u003e\n  ? show_regs+0x61/0x73\n  ? __die_body+0x20/0x73\n  ? die_addr+0x4f/0x7b\n  ? exc_general_protection+0x191/0x1db\n  ? asm_exc_general_protection+0x27/0x30\n  ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n  ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n  ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx_do_raw_spin_lock+0x10/0x10\n  rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n  ? _raw_spin_unlock+0xe/0x24\n  ? __mutex_lock.constprop.0+0x40c/0x471\n  ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n  ? __mutex_lock_slowpath+0x13/0x1f\n  ? mutex_lock+0xa2/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n  rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n  ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n  ieee80211_prep_connection+0x858/0x899 [mac80211]\n  ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n  ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n  ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n  ? is_bss+0x1b7/0x1d7 [cfg80211]\n  ieee80211_auth+0x18/0x27 [mac80211]\n  cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n  cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n  ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? __kasan_check_write+0x14/0x22\n  ? mutex_lock+0x8e/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  ? __pfx___radix_tree_lookup+0x10/0x10\n  cfg80211_conn_work+0x245/0x34d [cfg80211]\n  ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n  ? update_cfs_rq_load_avg+0x3bc/0x3d7\n  ? sched_clock_noinstr+0x9/0x1a\n  ? sched_clock+0x10/0x24\n  ? sched_clock_cpu+0x7e/0x42e\n  ? newidle_balance+0x796/0x937\n  ? __pfx_sched_clock_cpu+0x10/0x10\n  ? __pfx_newidle_balance+0x10/0x10\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? _raw_spin_unlock+0xe/0x24\n  ? raw_spin_rq_unlock+0x47/0x54\n  ? raw_spin_rq_unlock_irq+0x9/0x1f\n  ? finish_task_switch.isra.0+0x347/0x586\n  ? __schedule+0x27bf/0x2892\n  ? mutex_unlock+0x80/0xd0\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx___schedule+0x10/0x10\n  process_scheduled_works+0x58c/0x821\n  worker_thread+0x4c7/0x586\n  ? __kasan_check_read+0x11/0x1f\n  kthread+0x285/0x294\n  ? __pfx_worker_thread+0x10/0x10\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x29/0x6f\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1b/0x30\n  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:54.470Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"
        }
      ],
      "title": "wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21729",
    "datePublished": "2025-02-27T02:07:34.711Z",
    "dateReserved": "2024-12-29T08:45:45.755Z",
    "dateUpdated": "2025-05-04T07:19:54.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21729\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T02:15:16.637\",\"lastModified\":\"2025-03-24T18:57:27.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\\n\\nThe rtwdev-\u003escanning flag isn\u0027t protected by mutex originally, so\\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\\nunset the flag and calls ieee80211_scan_completed() that will free\\nlocal-\u003ehw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\\nuse-after-free. Fix it by moving the check condition to where\\nprotected by mutex.\\n\\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G           OE\\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\\n Workqueue: events cfg80211_conn_work [cfg80211]\\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\\n FS:  0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\\n Call Trace:\\n  \u003cTASK\u003e\\n  ? show_regs+0x61/0x73\\n  ? __die_body+0x20/0x73\\n  ? die_addr+0x4f/0x7b\\n  ? exc_general_protection+0x191/0x1db\\n  ? asm_exc_general_protection+0x27/0x30\\n  ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\\n  ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\\n  ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\\n  ? do_raw_spin_lock+0x75/0xdb\\n  ? __pfx_do_raw_spin_lock+0x10/0x10\\n  rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\\n  ? _raw_spin_unlock+0xe/0x24\\n  ? __mutex_lock.constprop.0+0x40c/0x471\\n  ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\\n  ? __mutex_lock_slowpath+0x13/0x1f\\n  ? mutex_lock+0xa2/0xdc\\n  ? __pfx_mutex_lock+0x10/0x10\\n  rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\\n  rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\\n  ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\\n  ieee80211_prep_connection+0x858/0x899 [mac80211]\\n  ieee80211_mgd_auth+0xbea/0xdde [mac80211]\\n  ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\\n  ? cfg80211_find_elem+0x15/0x29 [cfg80211]\\n  ? is_bss+0x1b7/0x1d7 [cfg80211]\\n  ieee80211_auth+0x18/0x27 [mac80211]\\n  cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\\n  cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\\n  ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\\n  ? __kasan_check_read+0x11/0x1f\\n  ? psi_group_change+0x8bc/0x944\\n  ? __kasan_check_write+0x14/0x22\\n  ? mutex_lock+0x8e/0xdc\\n  ? __pfx_mutex_lock+0x10/0x10\\n  ? __pfx___radix_tree_lookup+0x10/0x10\\n  cfg80211_conn_work+0x245/0x34d [cfg80211]\\n  ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\\n  ? update_cfs_rq_load_avg+0x3bc/0x3d7\\n  ? sched_clock_noinstr+0x9/0x1a\\n  ? sched_clock+0x10/0x24\\n  ? sched_clock_cpu+0x7e/0x42e\\n  ? newidle_balance+0x796/0x937\\n  ? __pfx_sched_clock_cpu+0x10/0x10\\n  ? __pfx_newidle_balance+0x10/0x10\\n  ? __kasan_check_read+0x11/0x1f\\n  ? psi_group_change+0x8bc/0x944\\n  ? _raw_spin_unlock+0xe/0x24\\n  ? raw_spin_rq_unlock+0x47/0x54\\n  ? raw_spin_rq_unlock_irq+0x9/0x1f\\n  ? finish_task_switch.isra.0+0x347/0x586\\n  ? __schedule+0x27bf/0x2892\\n  ? mutex_unlock+0x80/0xd0\\n  ? do_raw_spin_lock+0x75/0xdb\\n  ? __pfx___schedule+0x10/0x10\\n  process_scheduled_works+0x58c/0x821\\n  worker_thread+0x4c7/0x586\\n  ? __kasan_check_read+0x11/0x1f\\n  kthread+0x285/0x294\\n  ? __pfx_worker_thread+0x10/0x10\\n  ? __pfx_kthread+0x10/0x10\\n  ret_from_fork+0x29/0x6f\\n  ? __pfx_kthread+0x10/0x10\\n  ret_from_fork_asm+0x1b/0x30\\n  \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtw89: se corrige la ejecuci\u00f3n entre cancel_hw_scan y la finalizaci\u00f3n de hw_scan El indicador rtwdev-\u0026gt;scanning no est\u00e1 protegido por mutex originalmente, por lo que cancel_hw_scan puede pasar la condici\u00f3n, pero de repente la finalizaci\u00f3n de hw_scan desconfigura el indicador y llama a ieee80211_scan_completed() que liberar\u00e1 local-\u0026gt;hw_scan_req. Luego, cancel_hw_scan lanza null-ptr-deref y use-after-free. Arr\u00e9glelo moviendo la condici\u00f3n de verificaci\u00f3n a donde est\u00e9 protegida por mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace:  ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30  \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.18\",\"versionEndExcluding\":\"6.12.13\",\"matchCriteriaId\":\"C8059611-D9EB-48F5-BBD4-DBA24A7972A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.2\",\"matchCriteriaId\":\"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21729\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:14:34.158732Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:14:35.363Z\"}}], \"cna\": {\"title\": \"wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"895907779752606f6a4795abfc008509f8e38314\", \"lessThan\": \"2403cb3c235d5e339b580cc3a825493769fadca8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"895907779752606f6a4795abfc008509f8e38314\", \"lessThan\": \"5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"895907779752606f6a4795abfc008509f8e38314\", \"lessThan\": \"ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/wireless/realtek/rtw89/mac80211.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.18\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.18\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.12.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/wireless/realtek/rtw89/mac80211.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8\"}, {\"url\": \"https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67\"}, {\"url\": \"https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\\n\\nThe rtwdev-\u003escanning flag isn\u0027t protected by mutex originally, so\\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\\nunset the flag and calls ieee80211_scan_completed() that will free\\nlocal-\u003ehw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\\nuse-after-free. Fix it by moving the check condition to where\\nprotected by mutex.\\n\\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G           OE\\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\\n Workqueue: events cfg80211_conn_work [cfg80211]\\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\\n FS:  0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\\n Call Trace:\\n  \u003cTASK\u003e\\n  ? show_regs+0x61/0x73\\n  ? __die_body+0x20/0x73\\n  ? die_addr+0x4f/0x7b\\n  ? exc_general_protection+0x191/0x1db\\n  ? asm_exc_general_protection+0x27/0x30\\n  ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\\n  ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\\n  ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\\n  ? do_raw_spin_lock+0x75/0xdb\\n  ? __pfx_do_raw_spin_lock+0x10/0x10\\n  rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\\n  ? _raw_spin_unlock+0xe/0x24\\n  ? __mutex_lock.constprop.0+0x40c/0x471\\n  ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\\n  ? __mutex_lock_slowpath+0x13/0x1f\\n  ? mutex_lock+0xa2/0xdc\\n  ? __pfx_mutex_lock+0x10/0x10\\n  rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\\n  rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\\n  ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\\n  ieee80211_prep_connection+0x858/0x899 [mac80211]\\n  ieee80211_mgd_auth+0xbea/0xdde [mac80211]\\n  ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\\n  ? cfg80211_find_elem+0x15/0x29 [cfg80211]\\n  ? is_bss+0x1b7/0x1d7 [cfg80211]\\n  ieee80211_auth+0x18/0x27 [mac80211]\\n  cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\\n  cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\\n  ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\\n  ? __kasan_check_read+0x11/0x1f\\n  ? psi_group_change+0x8bc/0x944\\n  ? __kasan_check_write+0x14/0x22\\n  ? mutex_lock+0x8e/0xdc\\n  ? __pfx_mutex_lock+0x10/0x10\\n  ? __pfx___radix_tree_lookup+0x10/0x10\\n  cfg80211_conn_work+0x245/0x34d [cfg80211]\\n  ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\\n  ? update_cfs_rq_load_avg+0x3bc/0x3d7\\n  ? sched_clock_noinstr+0x9/0x1a\\n  ? sched_clock+0x10/0x24\\n  ? sched_clock_cpu+0x7e/0x42e\\n  ? newidle_balance+0x796/0x937\\n  ? __pfx_sched_clock_cpu+0x10/0x10\\n  ? __pfx_newidle_balance+0x10/0x10\\n  ? __kasan_check_read+0x11/0x1f\\n  ? psi_group_change+0x8bc/0x944\\n  ? _raw_spin_unlock+0xe/0x24\\n  ? raw_spin_rq_unlock+0x47/0x54\\n  ? raw_spin_rq_unlock_irq+0x9/0x1f\\n  ? finish_task_switch.isra.0+0x347/0x586\\n  ? __schedule+0x27bf/0x2892\\n  ? mutex_unlock+0x80/0xd0\\n  ? do_raw_spin_lock+0x75/0xdb\\n  ? __pfx___schedule+0x10/0x10\\n  process_scheduled_works+0x58c/0x821\\n  worker_thread+0x4c7/0x586\\n  ? __kasan_check_read+0x11/0x1f\\n  kthread+0x285/0x294\\n  ? __pfx_worker_thread+0x10/0x10\\n  ? __pfx_kthread+0x10/0x10\\n  ret_from_fork+0x29/0x6f\\n  ? __pfx_kthread+0x10/0x10\\n  ret_from_fork_asm+0x1b/0x30\\n  \u003c/TASK\u003e\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.13\", \"versionStartIncluding\": \"5.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.2\", \"versionStartIncluding\": \"5.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"5.18\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:19:54.470Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21729\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:19:54.470Z\", \"dateReserved\": \"2024-12-29T08:45:45.755Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-27T02:07:34.711Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…