cve/published/2025/CVE-2025-21999.mbox

From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2025-21999: proc: fix UAF in proc_get_inode()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

proc: fix UAF in proc_get_inode()

Fix race between rmmod and /proc/XXX's inode instantiation.

The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.

use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->...  dereference.

      rmmod                         lookup
sys_delete_module
                         proc_lookup_de
			   pde_get(de);
			   proc_get_inode(dir->i_sb, de);
  mod->exit()
    proc_remove
      remove_proc_subtree
       proc_entry_rundown(de);
  free_module(mod);

                               if (S_ISREG(inode->i_mode))
	                         if (de->proc_ops->proc_read_iter)
                           --> As module is already freed, will trigger UAF

BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_lookup_de+0x11f/0x2e0
 __lookup_slow+0x188/0x350
 walk_component+0x2ab/0x4f0
 path_lookupat+0x120/0x660
 filename_lookup+0x1ce/0x560
 vfs_statx+0xac/0x150
 __do_sys_newstat+0x96/0x110
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

[adobriyan@gmail.com: don't do 2 atomic ops on the common path]

The Linux kernel CVE team has assigned CVE-2025-21999 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 5.10.236 with commit eda279586e571b05dff44d48e05f8977ad05855d
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 5.15.180 with commit 4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 6.1.132 with commit 966f331403dc3ed04ff64eaf3930cf1267965e53
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 6.6.85 with commit 63b53198aff2e4e6c5866a4ff73c7891f958ffa4
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 6.12.21 with commit ede3e8ac90ae106f0b29cd759aadebc1568f1308
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 6.13.9 with commit 64dc7c68e040251d9ec6e989acb69f8f6ae4a10b
	Issue introduced in 2.6.23 with commit 778f3dd5a13c9e1642e0b2efea4b769387a70afa and fixed in 6.14 with commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21999
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/proc/generic.c
	fs/proc/inode.c
	fs/proc/internal.h
	include/linux/proc_fs.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/eda279586e571b05dff44d48e05f8977ad05855d
	https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa
	https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3930cf1267965e53
	https://git.kernel.org/stable/c/63b53198aff2e4e6c5866a4ff73c7891f958ffa4
	https://git.kernel.org/stable/c/ede3e8ac90ae106f0b29cd759aadebc1568f1308
	https://git.kernel.org/stable/c/64dc7c68e040251d9ec6e989acb69f8f6ae4a10b
	https://git.kernel.org/stable/c/654b33ada4ab5e926cd9c570196fefa7bec7c1df