cve/published/2025/CVE-2025-21887.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

 The issue was caused by dput(upper) being called before
 ovl_dentry_update_reval(), while upper->d_flags was still
 accessed in ovl_dentry_remote().

 Move dput(upper) after its last use to prevent use-after-free.

 BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
 BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167

 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0xc3/0x620 mm/kasan/report.c:488
  kasan_report+0xd9/0x110 mm/kasan/report.c:601
  ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
  ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
  ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
  ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
  ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
  ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
  vfs_rename+0xf84/0x20a0 fs/namei.c:4893
 ...
  </TASK>

 The Linux kernel CVE team has assigned CVE-2025-21887 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.121 with commit 62f29ca45f832e281fc14966ac25f6ff3bd121ca and fixed in 5.15.179 with commit 4b49d939b5a79117f939b77cc67efae2694d9799
 	Issue introduced in 6.1.39 with commit e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 and fixed in 6.1.130 with commit a7c41830ffcd17b2177a95a9b99b270302090c35
 	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.6.81 with commit 64455c8051c3aedc71abb7ec8d47c80301f99f00
 	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.12.18 with commit 3594aad97e7be2557ca9fa9c931b206b604028c8
 	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.13.6 with commit 60b4b5c1277fc491da9e1e7abab307bfa39c2db7
 	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.14 with commit c84e125fff2615b4d9c259e762596134eddd2f27
 	Issue introduced in 5.10.188 with commit 714ba10a6dd19752a349e59aa875f3288ccb59b9
 	Issue introduced in 6.3.13 with commit 33ab4dd6202f359558a0a2678b94d1b9994c17e5
 	Issue introduced in 6.4.4 with commit 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21887
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/overlayfs/copy_up.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799
 	https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35
 	https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00
 	https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8
 	https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7
 	https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

	The issue was caused by dput(upper) being called before
	ovl_dentry_update_reval(), while upper->d_flags was still
	accessed in ovl_dentry_remote().

	Move dput(upper) after its last use to prevent use-after-free.

	BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
	BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167

	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0xc3/0x620 mm/kasan/report.c:488
	kasan_report+0xd9/0x110 mm/kasan/report.c:601
	ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
	ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
	ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
	ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
	ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
	ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
	vfs_rename+0xf84/0x20a0 fs/namei.c:4893
	...
	</TASK>

	The Linux kernel CVE team has assigned CVE-2025-21887 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.121 with commit 62f29ca45f832e281fc14966ac25f6ff3bd121ca and fixed in 5.15.179 with commit 4b49d939b5a79117f939b77cc67efae2694d9799
	Issue introduced in 6.1.39 with commit e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 and fixed in 6.1.130 with commit a7c41830ffcd17b2177a95a9b99b270302090c35
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.6.81 with commit 64455c8051c3aedc71abb7ec8d47c80301f99f00
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.12.18 with commit 3594aad97e7be2557ca9fa9c931b206b604028c8
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.13.6 with commit 60b4b5c1277fc491da9e1e7abab307bfa39c2db7
	Issue introduced in 6.5 with commit b07d5cc93e1b28df47a72c519d09d0a836043613 and fixed in 6.14 with commit c84e125fff2615b4d9c259e762596134eddd2f27
	Issue introduced in 5.10.188 with commit 714ba10a6dd19752a349e59aa875f3288ccb59b9
	Issue introduced in 6.3.13 with commit 33ab4dd6202f359558a0a2678b94d1b9994c17e5
	Issue introduced in 6.4.4 with commit 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21887
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/overlayfs/copy_up.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799
	https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35
	https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00
	https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8
	https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7
	https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27