CVE-2025-22085

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-22085
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22085.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-22085
Downstream
Related
Published
2025-04-16T14:12:33Z
Modified
2025-10-15T23:47:08.920307Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
RDMA/core: Fix use-after-free when rename device name
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Fix use-after-free when rename device name

Syzbot reported a slab-use-after-free with the following call trace:

================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025

CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0x16e/0x5b0 mm/kasan/report.c:521 kasanreport+0x143/0x180 mm/kasan/report.c:634 kasancheckrange+0x282/0x290 mm/kasan/generic.c:189 _asanmemcpy+0x29/0x70 mm/kasan/shadow.c:105 nlaput+0xd3/0x150 lib/nlattr.c:1099 nlaputstring include/net/netlink.h:1621 [inline] fillnldevhandle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdmanlnotifyevent+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ibdevicenotifyregister+0x22/0x230 drivers/infiniband/core/device.c:1344 ibregisterdevice+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net/netlink/afnetlink.c:1883 socksendmsgnosec net/socket.c:709 [inline] _socksendmsg+0x221/0x270 net/socket.c:724 syssendmsg+0x53a/0x860 net/socket.c:2564 _syssendmsg net/socket.c:2618 [inline] _syssendmsg+0x269/0x350 net/socket.c:2650 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK>

Allocated by task 10025: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4294 [inline] _kmallocnodetrackcallernoprof+0x28b/0x4c0 mm/slub.c:4313 _kmemdupnul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobjectsetnamevargs+0x61/0x120 lib/kobject.c:274 devsetname+0xd5/0x120 drivers/base/core.c:3468 assignname drivers/infiniband/core/device.c:1202 [inline] ibregisterdevice+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9cbed5aab5aeea420d0aa945733bf608449d44fb
Fixed
0d6460b9d2a3ee380940bdf47680751ef91cb88e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9cbed5aab5aeea420d0aa945733bf608449d44fb
Fixed
56ec8580be5174b2b9774066e60f1aad56d201db
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9cbed5aab5aeea420d0aa945733bf608449d44fb
Fixed
edf6b543e81ba68c6dbac2499ab362098a5a9716
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9cbed5aab5aeea420d0aa945733bf608449d44fb
Fixed
1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd

Affected versions

v6.*

v6.11
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.23
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.11
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.2