CVE-2025-39966 (GCVE-0-2025-39966)
Vulnerability from cvelistv5
Published
2025-10-15 07:55
Modified
2025-10-15 07:55
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput() doesn't actually call file_operations release() synchronously, it puts the file on a work queue and it will be released eventually. This is normally fine, except for iommufd the file and the iommufd_object are tied to gether. The file has the object as it's private_data and holds a users refcount, while the object is expected to remain alive as long as the file is. When the allocation of a new object aborts before installing the file it will fput() the file and then go on to immediately kfree() the obj. This causes a UAF once the workqueue completes the fput() and tries to decrement the users refcount. Fix this by putting the core code in charge of the file lifetime, and call __fput_sync() during abort to ensure that release() is called before kfree. __fput_sync() is a bit too tricky to open code in all the object implementations. Instead the objects tell the core code where the file pointer is and the core will take care of the life cycle. If the object is successfully allocated then the file will hold a users refcount and the iommufd_object cannot be destroyed. It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an issue because close() is already using a synchronous version of fput(). The UAF looks like this: BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376 Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164 CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline] __refcount_dec include/linux/refcount.h:455 [inline] refcount_dec include/linux/refcount.h:476 [inline] iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376 __fput+0x402/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/17195a7d754a5c6a31888702ca93f6f08f3383ad
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4e034bf045b12852a24d5d33f2451850818ba0c1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e4825368285e33d6360c6c6a6a10d2d83da06e55
Impacted products
Vendor Product Version
Linux Linux Version: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed
Version: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed
Version: 07838f7fd529c8a6de44b601d4b7057e6c8d36ed
 Create a notification for this product.
   Linux Linux Version: 6.11
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/eventq.c",
            "drivers/iommu/iommufd/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "17195a7d754a5c6a31888702ca93f6f08f3383ad",
              "status": "affected",
              "version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
              "versionType": "git"
            },
            {
              "lessThan": "e4825368285e33d6360c6c6a6a10d2d83da06e55",
              "status": "affected",
              "version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
              "versionType": "git"
            },
            {
              "lessThan": "4e034bf045b12852a24d5d33f2451850818ba0c1",
              "status": "affected",
              "version": "07838f7fd529c8a6de44b601d4b7057e6c8d36ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/eventq.c",
            "drivers/iommu/iommufd/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.50",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.10",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix race during abort for file descriptors\n\nfput() doesn\u0027t actually call file_operations release() synchronously, it\nputs the file on a work queue and it will be released eventually.\n\nThis is normally fine, except for iommufd the file and the iommufd_object\nare tied to gether. The file has the object as it\u0027s private_data and holds\na users refcount, while the object is expected to remain alive as long as\nthe file is.\n\nWhen the allocation of a new object aborts before installing the file it\nwill fput() the file and then go on to immediately kfree() the obj. This\ncauses a UAF once the workqueue completes the fput() and tries to\ndecrement the users refcount.\n\nFix this by putting the core code in charge of the file lifetime, and call\n__fput_sync() during abort to ensure that release() is called before\nkfree. __fput_sync() is a bit too tricky to open code in all the object\nimplementations. Instead the objects tell the core code where the file\npointer is and the core will take care of the life cycle.\n\nIf the object is successfully allocated then the file will hold a users\nrefcount and the iommufd_object cannot be destroyed.\n\nIt is worth noting that close(); ioctl(IOMMU_DESTROY); doesn\u0027t have an\nissue because close() is already using a synchronous version of fput().\n\nThe UAF looks like this:\n\n    BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n    Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164\n\n    CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)\n    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n    Call Trace:\n     \u003cTASK\u003e\n     __dump_stack lib/dump_stack.c:94 [inline]\n     dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n     print_address_description mm/kasan/report.c:378 [inline]\n     print_report+0xcd/0x630 mm/kasan/report.c:482\n     kasan_report+0xe0/0x110 mm/kasan/report.c:595\n     check_region_inline mm/kasan/generic.c:183 [inline]\n     kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189\n     instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n     atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]\n     __refcount_dec include/linux/refcount.h:455 [inline]\n     refcount_dec include/linux/refcount.h:476 [inline]\n     iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n     __fput+0x402/0xb70 fs/file_table.c:468\n     task_work_run+0x14d/0x240 kernel/task_work.c:227\n     resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n     exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n     exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n     syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n     syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n     do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T07:55:50.843Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/17195a7d754a5c6a31888702ca93f6f08f3383ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4825368285e33d6360c6c6a6a10d2d83da06e55"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e034bf045b12852a24d5d33f2451850818ba0c1"
        }
      ],
      "title": "iommufd: Fix race during abort for file descriptors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39966",
    "datePublished": "2025-10-15T07:55:50.843Z",
    "dateReserved": "2025-04-16T07:20:57.149Z",
    "dateUpdated": "2025-10-15T07:55:50.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39966\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-15T08:15:34.043\",\"lastModified\":\"2025-10-16T15:29:11.563\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommufd: Fix race during abort for file descriptors\\n\\nfput() doesn\u0027t actually call file_operations release() synchronously, it\\nputs the file on a work queue and it will be released eventually.\\n\\nThis is normally fine, except for iommufd the file and the iommufd_object\\nare tied to gether. The file has the object as it\u0027s private_data and holds\\na users refcount, while the object is expected to remain alive as long as\\nthe file is.\\n\\nWhen the allocation of a new object aborts before installing the file it\\nwill fput() the file and then go on to immediately kfree() the obj. This\\ncauses a UAF once the workqueue completes the fput() and tries to\\ndecrement the users refcount.\\n\\nFix this by putting the core code in charge of the file lifetime, and call\\n__fput_sync() during abort to ensure that release() is called before\\nkfree. __fput_sync() is a bit too tricky to open code in all the object\\nimplementations. Instead the objects tell the core code where the file\\npointer is and the core will take care of the life cycle.\\n\\nIf the object is successfully allocated then the file will hold a users\\nrefcount and the iommufd_object cannot be destroyed.\\n\\nIt is worth noting that close(); ioctl(IOMMU_DESTROY); doesn\u0027t have an\\nissue because close() is already using a synchronous version of fput().\\n\\nThe UAF looks like this:\\n\\n    BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\\n    Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164\\n\\n    CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)\\n    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\\n    Call Trace:\\n     \u003cTASK\u003e\\n     __dump_stack lib/dump_stack.c:94 [inline]\\n     dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\\n     print_address_description mm/kasan/report.c:378 [inline]\\n     print_report+0xcd/0x630 mm/kasan/report.c:482\\n     kasan_report+0xe0/0x110 mm/kasan/report.c:595\\n     check_region_inline mm/kasan/generic.c:183 [inline]\\n     kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189\\n     instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\\n     atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]\\n     __refcount_dec include/linux/refcount.h:455 [inline]\\n     refcount_dec include/linux/refcount.h:476 [inline]\\n     iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\\n     __fput+0x402/0xb70 fs/file_table.c:468\\n     task_work_run+0x14d/0x240 kernel/task_work.c:227\\n     resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\\n     exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\\n     exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\\n     syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\\n     syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\\n     do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100\\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/17195a7d754a5c6a31888702ca93f6f08f3383ad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4e034bf045b12852a24d5d33f2451850818ba0c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e4825368285e33d6360c6c6a6a10d2d83da06e55\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.