CVE-2025-22018 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: atm: Fix NULL pointer dereference When MPOA_cache_impos_rcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holding_time are NULL. Because there is only for the situation where entry is NULL and holding_time exists, it can be passed when both entry and holding_time are NULL. If these are NULL, the entry will be passd to eg_cache_put() as parameter and it is referenced by entry->use code in it. kasan log: [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? die_addr+0x3c/0xa0 [ 3.327330] ? exc_general_protection+0x161/0x2a0 [ 3.327662] ? asm_exc_general_protection+0x26/0x30 [ 3.328214] ? vprintk_emit+0x15e/0x420 [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 [ 3.329664] ? console_unlock+0x107/0x1d0 [ 3.329946] ? __pfx_console_unlock+0x10/0x10 [ 3.330283] ? do_syscall_64+0xa6/0x1a0 [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 [ 3.331395] ? down_trylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 [ 3.332279] ? down_trylock+0x52/0x80 [ 3.332527] ? _printk+0xbf/0x100 [ 3.332762] ? __pfx__printk+0x10/0x10 [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 [ 3.333614] msg_from_mpoad+0x1185/0x2750 [ 3.333893] ? __build_skb_around+0x27b/0x3a0 [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 [ 3.334501] ? __alloc_skb+0x1c0/0x310 [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 [ 3.335632] ? finish_wait+0x8d/0x1e0 [ 3.335975] vcc_sendmsg+0x684/0xba0 [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __sys_sendto+0x4a2/0x510 [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 [ 3.340898] do_syscall_64+0xa6/0x1a0 [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [ ---truncated---

Reserved 2024-12-29 | Published 2025-04-16 | Updated 2025-05-04 | Assigner Linux

Product status

Default status

unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ab92f51c7f53a08f1a686bfb80690ebb3672357d

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1505f9b720656b17865e4166ab002960162bf679

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d7f1e4a53a51cc6ba833afcb40439f18dab61c1f

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0ef6e49881b6b50ac454cb9d6501d009fdceb6fc

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 9da6b6340dbcf0f60ae3ec6a7d6438337c32518a

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 09691f367df44fe93255274d80a439f9bb3263fc

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 3c23bb2c894e9ef2727682f98c341b20f78c9013

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 14c7aca5ba2740973de27c1bb8df77b4dcb6f775

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before bf2986fcf82a449441f9ee4335df19be19e83970

affected

Default status

affected

2.6.12

affected

Any version before 2.6.12

unaffected

5.4.292

unaffected

5.10.236

unaffected

5.15.180

unaffected

6.1.133

unaffected

6.6.86

unaffected

6.12.22

unaffected

6.13.10

unaffected

6.14.1

unaffected

6.15-rc1

unaffected

References

git.kernel.org/...c/ab92f51c7f53a08f1a686bfb80690ebb3672357d

git.kernel.org/...c/1505f9b720656b17865e4166ab002960162bf679

git.kernel.org/...c/d7f1e4a53a51cc6ba833afcb40439f18dab61c1f

git.kernel.org/...c/0ef6e49881b6b50ac454cb9d6501d009fdceb6fc

git.kernel.org/...c/9da6b6340dbcf0f60ae3ec6a7d6438337c32518a

git.kernel.org/...c/09691f367df44fe93255274d80a439f9bb3263fc

git.kernel.org/...c/3c23bb2c894e9ef2727682f98c341b20f78c9013

git.kernel.org/...c/14c7aca5ba2740973de27c1bb8df77b4dcb6f775

git.kernel.org/...c/bf2986fcf82a449441f9ee4335df19be19e83970

cve.org (CVE-2025-22018)

nvd.nist.gov (CVE-2025-22018)

Download JSON