cve-2025-37759
Vulnerability from cvelistv5
Published
2025-05-01 12:56
Modified
2025-05-01 12:56
Severity ?
EPSS score ?
Summary
ublk: fix handling recovery & reissue in ublk_abort_queue()
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "caa5c8a2358604f38bf0a4afaa5eacda13763067",
"status": "affected",
"version": "8284066946e6d9cc979566ce698fe24e7ca0b31e",
"versionType": "git"
},
{
"lessThan": "5d34a30efac9c9c93e150130caa940c0df6053c1",
"status": "affected",
"version": "8284066946e6d9cc979566ce698fe24e7ca0b31e",
"versionType": "git"
},
{
"lessThan": "0a21d259ca4d6310fdfcc0284ebbc000e66cbf70",
"status": "affected",
"version": "8284066946e6d9cc979566ce698fe24e7ca0b31e",
"versionType": "git"
},
{
"lessThan": "6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f",
"status": "affected",
"version": "8284066946e6d9cc979566ce698fe24e7ca0b31e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix handling recovery \u0026 reissue in ublk_abort_queue()\n\nCommit 8284066946e6 (\"ublk: grab request reference when the request is handled\nby userspace\") doesn\u0027t grab request reference in case of recovery reissue.\nThen the request can be requeued \u0026 re-dispatch \u0026 failed when canceling\nuring command.\n\nIf it is one zc request, the request can be freed before io_uring\nreturns the zc buffer back, then cause kernel panic:\n\n[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 126.773657] #PF: supervisor read access in kernel mode\n[ 126.774052] #PF: error_code(0x0000) - not-present page\n[ 126.774455] PGD 0 P4D 0\n[ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)\n[ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n[ 126.776275] Workqueue: iou_exit io_ring_exit_work\n[ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]\n\nFixes it by always grabbing request reference for aborting the request."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T12:56:03.462Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067"
},
{
"url": "https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1"
},
{
"url": "https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70"
},
{
"url": "https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f"
}
],
"title": "ublk: fix handling recovery \u0026 reissue in ublk_abort_queue()",
"x_generator": {
"engine": "bippy-1.1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37759",
"datePublished": "2025-05-01T12:56:03.462Z",
"dateReserved": "2025-04-16T04:51:23.938Z",
"dateUpdated": "2025-05-01T12:56:03.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-37759\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T13:15:54.690\",\"lastModified\":\"2025-05-02T13:53:20.943\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nublk: fix handling recovery \u0026 reissue in ublk_abort_queue()\\n\\nCommit 8284066946e6 (\\\"ublk: grab request reference when the request is handled\\nby userspace\\\") doesn\u0027t grab request reference in case of recovery reissue.\\nThen the request can be requeued \u0026 re-dispatch \u0026 failed when canceling\\nuring command.\\n\\nIf it is one zc request, the request can be freed before io_uring\\nreturns the zc buffer back, then cause kernel panic:\\n\\n[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8\\n[ 126.773657] #PF: supervisor read access in kernel mode\\n[ 126.774052] #PF: error_code(0x0000) - not-present page\\n[ 126.774455] PGD 0 P4D 0\\n[ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI\\n[ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)\\n[ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\\n[ 126.776275] Workqueue: iou_exit io_ring_exit_work\\n[ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]\\n\\nFixes it by always grabbing request reference for aborting the request.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ublk: correcci\u00f3n del manejo de la recuperaci\u00f3n y la reemisi\u00f3n en ublk_abort_queue(). La confirmaci\u00f3n 8284066946e6 (\\\"ublk: toma la referencia de la solicitud cuando la solicitud es manejada por el espacio de usuario\\\") no toma la referencia de la solicitud en caso de reemisi\u00f3n de recuperaci\u00f3n. En ese caso, la solicitud se puede volver a poner en cola y reenviar, y falla al cancelar el comando \\\"uring\\\". Si es una solicitud zc, la solicitud se puede liberar antes de que io_uring devuelva el buffer zc, y luego cause p\u00e1nico en el kernel: [ 126.773061] ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 00000000000000c8 [ 126.773657] #PF: acceso de lectura del supervisor en modo kernel [ 126.774052] #PF: error_code(0x0000) - p\u00e1gina no presente [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 No contaminado 6.14.0_blk+ #182 PREEMPT(full) [ 126.775676] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 [ 126.776275] Cola de trabajo: iou_exit io_ring_exit_work [ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv] Lo corrige tomando siempre la referencia de la solicitud para abortar la solicitud.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.