CVE-2025-21919
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
Reserved 2024-12-29 | Published 2025-04-01 | Updated 2025-05-04 | Assigner Linuxgit.kernel.org/...c/5cb300dcdd27e6a351ac02541e0231261c775852
git.kernel.org/...c/000c9ee43928f2ce68a156dd40bab7616256f4dd
git.kernel.org/...c/9cc7f0018609f75a349e42e3aebc3b0e905ba775
git.kernel.org/...c/b5741e4b9ef3567613b2351384f91d3f16e59986
git.kernel.org/...c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f
git.kernel.org/...c/3b4035ddbfc8e4521f85569998a7569668cccf51
Support options
