| From bippy-1.2.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-22020: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove |
| |
| This fixes the following crash: |
| |
| ================================================================== |
| BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] |
| Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 |
| |
| CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 |
| Tainted: [E]=UNSIGNED_MODULE |
| Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 |
| Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] |
| Call Trace: |
| <TASK> |
| dump_stack_lvl+0x51/0x70 |
| print_address_description.constprop.0+0x27/0x320 |
| ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] |
| print_report+0x3e/0x70 |
| kasan_report+0xab/0xe0 |
| ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] |
| rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] |
| ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] |
| ? __pfx___schedule+0x10/0x10 |
| ? kick_pool+0x3b/0x270 |
| process_one_work+0x357/0x660 |
| worker_thread+0x390/0x4c0 |
| ? __pfx_worker_thread+0x10/0x10 |
| kthread+0x190/0x1d0 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork+0x2d/0x50 |
| ? __pfx_kthread+0x10/0x10 |
| ret_from_fork_asm+0x1a/0x30 |
| </TASK> |
| |
| Allocated by task 161446: |
| kasan_save_stack+0x20/0x40 |
| kasan_save_track+0x10/0x30 |
| __kasan_kmalloc+0x7b/0x90 |
| __kmalloc_noprof+0x1a7/0x470 |
| memstick_alloc_host+0x1f/0xe0 [memstick] |
| rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] |
| platform_probe+0x60/0xe0 |
| call_driver_probe+0x35/0x120 |
| really_probe+0x123/0x410 |
| __driver_probe_device+0xc7/0x1e0 |
| driver_probe_device+0x49/0xf0 |
| __device_attach_driver+0xc6/0x160 |
| bus_for_each_drv+0xe4/0x160 |
| __device_attach+0x13a/0x2b0 |
| bus_probe_device+0xbd/0xd0 |
| device_add+0x4a5/0x760 |
| platform_device_add+0x189/0x370 |
| mfd_add_device+0x587/0x5e0 |
| mfd_add_devices+0xb1/0x130 |
| rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] |
| usb_probe_interface+0x15c/0x460 |
| call_driver_probe+0x35/0x120 |
| really_probe+0x123/0x410 |
| __driver_probe_device+0xc7/0x1e0 |
| driver_probe_device+0x49/0xf0 |
| __device_attach_driver+0xc6/0x160 |
| bus_for_each_drv+0xe4/0x160 |
| __device_attach+0x13a/0x2b0 |
| rebind_marked_interfaces.isra.0+0xcc/0x110 |
| usb_reset_device+0x352/0x410 |
| usbdev_do_ioctl+0xe5c/0x1860 |
| usbdev_ioctl+0xa/0x20 |
| __x64_sys_ioctl+0xc5/0xf0 |
| do_syscall_64+0x59/0x170 |
| entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| |
| Freed by task 161506: |
| kasan_save_stack+0x20/0x40 |
| kasan_save_track+0x10/0x30 |
| kasan_save_free_info+0x36/0x60 |
| __kasan_slab_free+0x34/0x50 |
| kfree+0x1fd/0x3b0 |
| device_release+0x56/0xf0 |
| kobject_cleanup+0x73/0x1c0 |
| rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] |
| platform_remove+0x2f/0x50 |
| device_release_driver_internal+0x24b/0x2e0 |
| bus_remove_device+0x124/0x1d0 |
| device_del+0x239/0x530 |
| platform_device_del.part.0+0x19/0xe0 |
| platform_device_unregister+0x1c/0x40 |
| mfd_remove_devices_fn+0x167/0x170 |
| device_for_each_child_reverse+0xc9/0x130 |
| mfd_remove_devices+0x6e/0xa0 |
| rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] |
| usb_unbind_interface+0xf3/0x3f0 |
| device_release_driver_internal+0x24b/0x2e0 |
| proc_disconnect_claim+0x13d/0x220 |
| usbdev_do_ioctl+0xb5e/0x1860 |
| usbdev_ioctl+0xa/0x20 |
| __x64_sys_ioctl+0xc5/0xf0 |
| do_syscall_64+0x59/0x170 |
| entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| |
| Last potentially related work creation: |
| kasan_save_stack+0x20/0x40 |
| kasan_record_aux_stack+0x85/0x90 |
| insert_work+0x29/0x100 |
| __queue_work+0x34a/0x540 |
| call_timer_fn+0x2a/0x160 |
| expire_timers+0x5f/0x1f0 |
| __run_timer_base.part.0+0x1b6/0x1e0 |
| run_timer_softirq+0x8b/0xe0 |
| handle_softirqs+0xf9/0x360 |
| __irq_exit_rcu+0x114/0x130 |
| sysvec_apic_timer_interrupt+0x72/0x90 |
| asm_sysvec_apic_timer_interrupt+0x16/0x20 |
| |
| Second to last potentially related work creation: |
| kasan_save_stack+0x20/0x40 |
| kasan_record_aux_stack+0x85/0x90 |
| insert_work+0x29/0x100 |
| __queue_work+0x34a/0x540 |
| call_timer_fn+0x2a/0x160 |
| expire_timers+0x5f/0x1f0 |
| __run_timer_base.part.0+0x1b6/0x1e0 |
| run_timer_softirq+0x8b/0xe0 |
| handle_softirqs+0xf9/0x360 |
| __irq_exit_rcu+0x114/0x130 |
| sysvec_apic_timer_interrupt+0x72/0x90 |
| asm_sysvec_apic_timer_interrupt+0x16/0x20 |
| |
| The buggy address belongs to the object at ffff888136335000 |
| which belongs to the cache kmalloc-2k of size 2048 |
| The buggy address is located 896 bytes inside of |
| freed 2048-byte region [ffff888136335000, ffff888136335800) |
| |
| The buggy address belongs to the physical page: |
| page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x136330 |
| head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 |
| flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) |
| page_type: f5(slab) |
| raw: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002 |
| raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 |
| head: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002 |
| head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 |
| head: 0017ffffc0000003 ffffea0004d8cc01 ffffffffffffffff 0000000000000000 |
| head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 |
| page dumped because: kasan: bad access detected |
| |
| Memory state around the buggy address: |
| ffff888136335280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ffff888136335300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| >ffff888136335380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ^ |
| ffff888136335400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ffff888136335480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb |
| ================================================================== |
| |
| The Linux kernel CVE team has assigned CVE-2025-22020 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 5.4.292 with commit 914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 5.10.236 with commit 9dfaf4d723c62bda8d9d1340e2e78acf0c190439 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 5.15.180 with commit 31f0eaed6914333f42501fc7e0f6830879f5ef2d |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.1.133 with commit 52d942a5302eefb3b7a3bfee310a5a33feeedc21 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.6.86 with commit 6186fb2cd36317277a8423687982140a7f3f7841 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.12.22 with commit b094e8e3988e02e8cef7a756c8d2cea9c12509ab |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.13.10 with commit 0067cb7d7e7c277e91a0887a3c24e71462379469 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.14.1 with commit 75123adf204f997e11bbddee48408c284f51c050 |
| Issue introduced in 5.0 with commit 6827ca573c03385439fdfc8b512d556dc7c54fc9 and fixed in 6.15 with commit 4676741a3464b300b486e70585c3c9b692be1632 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-22020 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/memstick/host/rtsx_usb_ms.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185 |
| https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439 |
| https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d |
| https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21 |
| https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841 |
| https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab |
| https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469 |
| https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050 |
| https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632 |
