cve/published/2025/CVE-2025-21715.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21715: net: davicom: fix UAF in dm9000_drv_remove

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: davicom: fix UAF in dm9000_drv_remove

 dm is netdev private data and it cannot be
 used after free_netdev() call. Using dm after free_netdev()
 can cause UAF bug. Fix it by moving free_netdev() at the end of the
 function.

 This is similar to the issue fixed in commit
 ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove").

 This bug is detected by our static analysis tool.

 The Linux kernel CVE team has assigned CVE-2025-21715 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.106 with commit d28e783c20033b90a64d4e1307bafb56085d8184 and fixed in 5.4.291 with commit db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9
 	Issue introduced in 5.10.24 with commit 4fd0654b8f2129b68203974ddee15f804ec011c2 and fixed in 5.10.235 with commit a53cb72043443ac787ec0b5fa17bb3f8ff3d462b
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 5.15.179 with commit 7d7d201eb3b766abe590ac0dda7a508b7db3e357
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.1.129 with commit c94ab07edc2843e2f3d46dbd82e5c681503aaadf
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.6.76 with commit c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.12.13 with commit 5a54367a7c2378c65aaa4d3cfd952f26adef7aa7
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.13.2 with commit 2013c95df6752d9c88221d0f0f37b6f197969390
 	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.14 with commit 19e65c45a1507a1a2926649d2db3583ed9d55fd9
 	Issue introduced in 4.4.262 with commit d182994b2b6e23778b146a230efac8f1d77a3445
 	Issue introduced in 4.9.262 with commit 427b3fc3d5244fef9c1f910a9c699f2690642f83
 	Issue introduced in 4.14.226 with commit 9c49181c201d434186ca6b1a7b52e29f4169f6f8
 	Issue introduced in 4.19.181 with commit 9808f032c4d971cbf2b01411a0a2a8ee0040efe3
 	Issue introduced in 5.11.7 with commit a1f308089257616cdb91b4334c5eaa81ae17e387

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21715
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/davicom/dm9000.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9
 	https://git.kernel.org/stable/c/a53cb72043443ac787ec0b5fa17bb3f8ff3d462b
 	https://git.kernel.org/stable/c/7d7d201eb3b766abe590ac0dda7a508b7db3e357
 	https://git.kernel.org/stable/c/c94ab07edc2843e2f3d46dbd82e5c681503aaadf
 	https://git.kernel.org/stable/c/c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca
 	https://git.kernel.org/stable/c/5a54367a7c2378c65aaa4d3cfd952f26adef7aa7
 	https://git.kernel.org/stable/c/2013c95df6752d9c88221d0f0f37b6f197969390
 	https://git.kernel.org/stable/c/19e65c45a1507a1a2926649d2db3583ed9d55fd9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21715: net: davicom: fix UAF in dm9000_drv_remove

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: davicom: fix UAF in dm9000_drv_remove

	dm is netdev private data and it cannot be
	used after free_netdev() call. Using dm after free_netdev()
	can cause UAF bug. Fix it by moving free_netdev() at the end of the
	function.

	This is similar to the issue fixed in commit
	ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove").

	This bug is detected by our static analysis tool.

	The Linux kernel CVE team has assigned CVE-2025-21715 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.106 with commit d28e783c20033b90a64d4e1307bafb56085d8184 and fixed in 5.4.291 with commit db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9
	Issue introduced in 5.10.24 with commit 4fd0654b8f2129b68203974ddee15f804ec011c2 and fixed in 5.10.235 with commit a53cb72043443ac787ec0b5fa17bb3f8ff3d462b
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 5.15.179 with commit 7d7d201eb3b766abe590ac0dda7a508b7db3e357
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.1.129 with commit c94ab07edc2843e2f3d46dbd82e5c681503aaadf
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.6.76 with commit c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.12.13 with commit 5a54367a7c2378c65aaa4d3cfd952f26adef7aa7
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.13.2 with commit 2013c95df6752d9c88221d0f0f37b6f197969390
	Issue introduced in 5.12 with commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b and fixed in 6.14 with commit 19e65c45a1507a1a2926649d2db3583ed9d55fd9
	Issue introduced in 4.4.262 with commit d182994b2b6e23778b146a230efac8f1d77a3445
	Issue introduced in 4.9.262 with commit 427b3fc3d5244fef9c1f910a9c699f2690642f83
	Issue introduced in 4.14.226 with commit 9c49181c201d434186ca6b1a7b52e29f4169f6f8
	Issue introduced in 4.19.181 with commit 9808f032c4d971cbf2b01411a0a2a8ee0040efe3
	Issue introduced in 5.11.7 with commit a1f308089257616cdb91b4334c5eaa81ae17e387

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21715
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/davicom/dm9000.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/db79e982c5f9e39ab710cbce55b05f2f5e6f1ca9
	https://git.kernel.org/stable/c/a53cb72043443ac787ec0b5fa17bb3f8ff3d462b
	https://git.kernel.org/stable/c/7d7d201eb3b766abe590ac0dda7a508b7db3e357
	https://git.kernel.org/stable/c/c94ab07edc2843e2f3d46dbd82e5c681503aaadf
	https://git.kernel.org/stable/c/c411f9a5fdc9158e8f7c57eac961d3df3eb4d8ca
	https://git.kernel.org/stable/c/5a54367a7c2378c65aaa4d3cfd952f26adef7aa7
	https://git.kernel.org/stable/c/2013c95df6752d9c88221d0f0f37b6f197969390
	https://git.kernel.org/stable/c/19e65c45a1507a1a2926649d2db3583ed9d55fd9