Home

Description

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)

PUBLISHED Reserved 2025-04-16 | Published 2025-12-06 | Updated 2025-12-06 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c81d0385500446efe48c305bbb83d47f2ae23a50
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4cba73c4c89219beef7685a47374bf88b1022369
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6f2482745e510ae1dacc9b090194b9c5f918d774
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 67272c11f379d9aa5e0f6b16286b9d89b3f76046
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 623bb26127fb581a741e880e1e1a47d79aecb6f8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 03de7ff197a3d0e17d0d5c58fdac99a63cba8110
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 895b4c0c79b092d732544011c3cecaf7322c36a1
affected

Default status
affected

5.4.302 (semver)
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.117 (semver)
unaffected

6.12.59 (semver)
unaffected

6.17.9 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491

git.kernel.org/...c/c81d0385500446efe48c305bbb83d47f2ae23a50

git.kernel.org/...c/4cba73c4c89219beef7685a47374bf88b1022369

git.kernel.org/...c/6f2482745e510ae1dacc9b090194b9c5f918d774

git.kernel.org/...c/67272c11f379d9aa5e0f6b16286b9d89b3f76046

git.kernel.org/...c/623bb26127fb581a741e880e1e1a47d79aecb6f8

git.kernel.org/...c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110

git.kernel.org/...c/895b4c0c79b092d732544011c3cecaf7322c36a1

cve.org (CVE-2025-40271)

nvd.nist.gov (CVE-2025-40271)

Download JSON