CVE-2025-21727 Information
Description
In the Linux kernel the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
If ‘mdelay(10)’ is added before calling ‘padata_find_next’ in the ‘padata_reorder’ function this issue could be reproduced easily with ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt … padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt … padata_do_serial padata_reorder // pd while (1) padata_find_next(pd true); // using pd queue_work_on … padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again but pd is freed // call padata_find_next UAF
In the padata_reorder function when it loops in ‘while’ if the alg is deleted the refcnt may be decreased to 0 before entering ‘padata_find_next’ which leads to UAF.
As mentioned in [1] do_serial is supposed to be called with BHs disabled and always happen under RCU protection to address this issue add synchronize_rcu() in ‘padata_free_shell’ wait for all _do_serial calls to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
Reference
https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738 https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781 https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668
Related CNNVD
CNNVD-202506-2945 (Published: 2025-06-23)
Share on: