cve/published/2025/CVE-2025-22089.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22089: RDMA/core: Don't expose hw_counters outside of init net namespace

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/core: Don't expose hw_counters outside of init net namespace

 Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
 attributes") accidentally almost exposed hw counters to non-init net
 namespaces. It didn't expose them fully, as an attempt to read any of
 those counters leads to a crash like this one:

 [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
 [42021.814463] #PF: supervisor read access in kernel mode
 [42021.819549] #PF: error_code(0x0000) - not-present page
 [42021.824636] PGD 0 P4D 0
 [42021.827145] Oops: 0000 [#1] SMP PTI
 [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S      W I        XXX
 [42021.841697] Hardware name: XXX
 [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
 [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
 [42021.914418] FS:  00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
 [42021.922423] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [42021.949324] Call Trace:
 [42021.951756]  <TASK>
 [42021.953842]  [<ffffffff86c58674>] ? show_regs+0x64/0x70
 [42021.959030]  [<ffffffff86c58468>] ? __die+0x78/0xc0
 [42021.963874]  [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
 [42021.969749]  [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
 [42021.975549]  [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
 [42021.981517]  [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
 [42021.988482]  [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
 [42021.995438]  [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
 [42022.000803]  [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
 [42022.006508]  [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
 [42022.011954]  [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
 [42022.017058]  [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
 [42022.022073]  [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
 [42022.027441]  [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2

 The problem can be reproduced using the following steps:
   ip netns add foo
   ip netns exec foo bash
   cat /sys/class/infiniband/mlx4_0/hw_counters/*

 The panic occurs because of casting the device pointer into an
 ib_device pointer using container_of() in hw_stat_device_show() is
 wrong and leads to a memory corruption.

 However the real problem is that hw counters should never been exposed
 outside of the non-init net namespace.

 Fix this by saving the index of the corresponding attribute group
 (it might be 1 or 2 depending on the presence of driver-specific
 attributes) and zeroing the pointer to hw_counters group for compat
 devices during the initialization.

 With this fix applied hw_counters are not available in a non-init
 net namespace:
   find /sys/class/infiniband/mlx4_0/ -name hw_counters
     /sys/class/infiniband/mlx4_0/ports/1/hw_counters
     /sys/class/infiniband/mlx4_0/ports/2/hw_counters
     /sys/class/infiniband/mlx4_0/hw_counters

   ip netns add foo
   ip netns exec foo bash
   find /sys/class/infiniband/mlx4_0/ -name hw_counters

 The Linux kernel CVE team has assigned CVE-2025-22089 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 5.15.180 with commit 9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.1.134 with commit d5212b99649c5740154f307e9e3d7fee9bf62773
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.6.87 with commit 0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.12.23 with commit df45ae2a4f1cdfda00c032839e12092e1f32c05e
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.13.11 with commit c14d9704f5d77a7c7fa46e2114b64a4f75b64e17
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.14.2 with commit 6682da5d8fd578a5068531d01633c9d2e4c8f12b
 	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.15 with commit a1ecb30f90856b0be4168ad51b8875148e285c1f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22089
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/core/device.c
 	drivers/infiniband/core/sysfs.c
 	include/rdma/ib_verbs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
 	https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773
 	https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78
 	https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e
 	https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17
 	https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b
 	https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22089: RDMA/core: Don't expose hw_counters outside of init net namespace

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/core: Don't expose hw_counters outside of init net namespace

	Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
	attributes") accidentally almost exposed hw counters to non-init net
	namespaces. It didn't expose them fully, as an attempt to read any of
	those counters leads to a crash like this one:

	[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
	[42021.814463] #PF: supervisor read access in kernel mode
	[42021.819549] #PF: error_code(0x0000) - not-present page
	[42021.824636] PGD 0 P4D 0
	[42021.827145] Oops: 0000 [#1] SMP PTI
	[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX
	[42021.841697] Hardware name: XXX
	[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
	[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
	[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
	[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
	[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
	[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
	[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
	[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
	[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
	[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
	[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	[42021.949324] Call Trace:
	[42021.951756] <TASK>
	[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70
	[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0
	[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
	[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
	[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
	[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
	[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
	[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
	[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
	[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
	[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
	[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
	[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
	[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2

	The problem can be reproduced using the following steps:
	ip netns add foo
	ip netns exec foo bash
	cat /sys/class/infiniband/mlx4_0/hw_counters/*

	The panic occurs because of casting the device pointer into an
	ib_device pointer using container_of() in hw_stat_device_show() is
	wrong and leads to a memory corruption.

	However the real problem is that hw counters should never been exposed
	outside of the non-init net namespace.

	Fix this by saving the index of the corresponding attribute group
	(it might be 1 or 2 depending on the presence of driver-specific
	attributes) and zeroing the pointer to hw_counters group for compat
	devices during the initialization.

	With this fix applied hw_counters are not available in a non-init
	net namespace:
	find /sys/class/infiniband/mlx4_0/ -name hw_counters
	/sys/class/infiniband/mlx4_0/ports/1/hw_counters
	/sys/class/infiniband/mlx4_0/ports/2/hw_counters
	/sys/class/infiniband/mlx4_0/hw_counters

	ip netns add foo
	ip netns exec foo bash
	find /sys/class/infiniband/mlx4_0/ -name hw_counters

	The Linux kernel CVE team has assigned CVE-2025-22089 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 5.15.180 with commit 9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.1.134 with commit d5212b99649c5740154f307e9e3d7fee9bf62773
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.6.87 with commit 0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.12.23 with commit df45ae2a4f1cdfda00c032839e12092e1f32c05e
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.13.11 with commit c14d9704f5d77a7c7fa46e2114b64a4f75b64e17
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.14.2 with commit 6682da5d8fd578a5068531d01633c9d2e4c8f12b
	Issue introduced in 5.14 with commit 467f432a521a284c418e3d521ee51840a5e23424 and fixed in 6.15 with commit a1ecb30f90856b0be4168ad51b8875148e285c1f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22089
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/core/device.c
	drivers/infiniband/core/sysfs.c
	include/rdma/ib_verbs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
	https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773
	https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78
	https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e
	https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17
	https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b
	https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f