CVE-2025-68299 (GCVE-0-2025-68299)
Vulnerability from cvelistv5
Published
2025-12-16 15:06
Modified
2025-12-16 15:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afs_parse_source() parsing the device name given to mount() and calling afs_lookup_cell() with the name of the cell. The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set and so an oops can happen. This has been made more likely to happen by the fix for dynamic lookup failure. Fix this by firstly allocating a reference name and attaching it to the afs_cell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can't just overlap the cell name by prepending it with "afs@" as the cell name already has a '.' prepended for other purposes). This reference name is then passed to request_key(). Secondly, the anon key is now allocated on demand at the point a key is requested in afs_request_key() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell. Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afs_request_key() can be called. Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn't currently cache a negative lookup, but it's probably worth some investigation to see if NULL can be used instead.
References
Impacted products
Vendor Product Version
Linux Linux Version: 7e33b15d5a6578a99ebf189cea34983270ae92dd
Version: 330e2c514823008b22e6afd2055715bc46dd8d55
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/cell.c",
            "fs/afs/internal.h",
            "fs/afs/security.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5613bde937dfac6725e9c3fc766b9d6b8481e55b",
              "status": "affected",
              "version": "7e33b15d5a6578a99ebf189cea34983270ae92dd",
              "versionType": "git"
            },
            {
              "lessThan": "d27c71257825dced46104eefe42e4d9964bd032e",
              "status": "affected",
              "version": "330e2c514823008b22e6afd2055715bc46dd8d55",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/cell.c",
            "fs/afs/internal.h",
            "fs/afs/security.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.17.11",
              "status": "affected",
              "version": "6.17.9",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.17.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix delayed allocation of a cell\u0027s anonymous key\n\nThe allocation of a cell\u0027s anonymous key is done in a background thread\nalong with other cell setup such as doing a DNS upcall.  In the reported\nbug, this is triggered by afs_parse_source() parsing the device name given\nto mount() and calling afs_lookup_cell() with the name of the cell.\n\nThe normal key lookup then tries to use the key description on the\nanonymous authentication key as the reference for request_key() - but it\nmay not yet be set and so an oops can happen.\n\nThis has been made more likely to happen by the fix for dynamic lookup\nfailure.\n\nFix this by firstly allocating a reference name and attaching it to the\nafs_cell record when the record is created.  It can share the memory\nallocation with the cell name (unfortunately it can\u0027t just overlap the cell\nname by prepending it with \"afs@\" as the cell name already has a \u0027.\u0027\nprepended for other purposes).  This reference name is then passed to\nrequest_key().\n\nSecondly, the anon key is now allocated on demand at the point a key is\nrequested in afs_request_key() if it is not already allocated.  A mutex is\nused to prevent multiple allocation for a cell.\n\nThirdly, make afs_request_key_rcu() return NULL if the anonymous key isn\u0027t\nyet allocated (if we need it) and then the caller can return -ECHILD to\ndrop out of RCU-mode and afs_request_key() can be called.\n\nNote that the anonymous key is kind of necessary to make the key lookup\ncache work as that doesn\u0027t currently cache a negative lookup, but it\u0027s\nprobably worth some investigation to see if NULL can be used instead."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:18.246Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e"
        }
      ],
      "title": "afs: Fix delayed allocation of a cell\u0027s anonymous key",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68299",
    "datePublished": "2025-12-16T15:06:18.246Z",
    "dateReserved": "2025-12-16T14:48:05.293Z",
    "dateUpdated": "2025-12-16T15:06:18.246Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68299\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-16T16:16:09.400\",\"lastModified\":\"2025-12-18T15:08:06.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nafs: Fix delayed allocation of a cell\u0027s anonymous key\\n\\nThe allocation of a cell\u0027s anonymous key is done in a background thread\\nalong with other cell setup such as doing a DNS upcall.  In the reported\\nbug, this is triggered by afs_parse_source() parsing the device name given\\nto mount() and calling afs_lookup_cell() with the name of the cell.\\n\\nThe normal key lookup then tries to use the key description on the\\nanonymous authentication key as the reference for request_key() - but it\\nmay not yet be set and so an oops can happen.\\n\\nThis has been made more likely to happen by the fix for dynamic lookup\\nfailure.\\n\\nFix this by firstly allocating a reference name and attaching it to the\\nafs_cell record when the record is created.  It can share the memory\\nallocation with the cell name (unfortunately it can\u0027t just overlap the cell\\nname by prepending it with \\\"afs@\\\" as the cell name already has a \u0027.\u0027\\nprepended for other purposes).  This reference name is then passed to\\nrequest_key().\\n\\nSecondly, the anon key is now allocated on demand at the point a key is\\nrequested in afs_request_key() if it is not already allocated.  A mutex is\\nused to prevent multiple allocation for a cell.\\n\\nThirdly, make afs_request_key_rcu() return NULL if the anonymous key isn\u0027t\\nyet allocated (if we need it) and then the caller can return -ECHILD to\\ndrop out of RCU-mode and afs_request_key() can be called.\\n\\nNote that the anonymous key is kind of necessary to make the key lookup\\ncache work as that doesn\u0027t currently cache a negative lookup, but it\u0027s\\nprobably worth some investigation to see if NULL can be used instead.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.