-

CVE-2025-40271

fs/proc: fix uaf in proc_readdir_de()

In the Linux kernel, the following vulnerability has been resolved:

fs/proc: fix uaf in proc_readdir_de()

Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.

We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time.  The steps of the issue is as follows:

1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
   pde is tun3;

2) in the [time windows] unregister netdevice tun3 and tun2, and erase
   them from rbtree.  erase tun3 first, and then erase tun2.  the
   pde(tun2) will be released to slab;

3) continue to getdent process, then pde_subdir_next() will return
   pde(tun2) which is released, it will case uaf access.

CPU 0                                      |    CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun->dev)   //tun3 tun2
sys_getdents64()                           |
  iterate_dir()                            |
    proc_readdir()                         |
      proc_readdir_de()                    |     snmp6_unregister_dev()
        pde_get(de);                       |       proc_remove()
        read_unlock(&proc_subdir_lock);    |         remove_proc_subtree()
                                           |           write_lock(&proc_subdir_lock);
        [time window]                      |           rb_erase(&root->subdir_node, &parent->subdir);
                                           |           write_unlock(&proc_subdir_lock);
        read_lock(&proc_subdir_lock);      |
        next = pde_subdir_next(de);        |
        pde_put(de);                       |
        de = next;    //UAF                |

rbtree of dev_snmp6
                        |
                    pde(tun3)
                     /    \
                  NULL  pde(tun2)
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < c81d0385500446efe48c305bbb83d47f2ae23a50
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 4cba73c4c89219beef7685a47374bf88b1022369
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 6f2482745e510ae1dacc9b090194b9c5f918d774
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 67272c11f379d9aa5e0f6b16286b9d89b3f76046
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 623bb26127fb581a741e880e1e1a47d79aecb6f8
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 03de7ff197a3d0e17d0d5c58fdac99a63cba8110
Status affected
Version 710585d4922fd315f2cada8fbe550ae8ed23e994
Version < 895b4c0c79b092d732544011c3cecaf7322c36a1
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.19
Status affected
Version 0
Version < 3.19
Status unaffected
Version <= 5.4.*
Version 5.4.302
Status unaffected
Version <= 5.10.*
Version 5.10.247
Status unaffected
Version <= 5.15.*
Version 5.15.197
Status unaffected
Version <= 6.1.*
Version 6.1.159
Status unaffected
Version <= 6.6.*
Version 6.6.117
Status unaffected
Version <= 6.12.*
Version 6.12.59
Status unaffected
Version <= 6.17.*
Version 6.17.9
Status unaffected
Version <= *
Version 6.18
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.66% 0.894
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.