CVE-2025-22085
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22085
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22085.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-22085
- Downstream
- Related
- Published
- 2025-04-16T14:12:33.821Z
- Modified
- 2025-12-02T08:30:17.346481Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- RDMA/core: Fix use-after-free when rename device name
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix use-after-free when rename device name
Syzbot reported a slab-use-after-free with the following call trace:
================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025
CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0x16e/0x5b0 mm/kasan/report.c:521 kasanreport+0x143/0x180 mm/kasan/report.c:634 kasancheckrange+0x282/0x290 mm/kasan/generic.c:189 _asanmemcpy+0x29/0x70 mm/kasan/shadow.c:105 nlaput+0xd3/0x150 lib/nlattr.c:1099 nlaputstring include/net/netlink.h:1621 [inline] fillnldevhandle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdmanlnotifyevent+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ibdevicenotifyregister+0x22/0x230 drivers/infiniband/core/device.c:1344 ibregisterdevice+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net/netlink/afnetlink.c:1883 socksendmsgnosec net/socket.c:709 [inline] _socksendmsg+0x221/0x270 net/socket.c:724 syssendmsg+0x53a/0x860 net/socket.c:2564 _syssendmsg net/socket.c:2618 [inline] _syssendmsg+0x269/0x350 net/socket.c:2650 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK>
Allocated by task 10025: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4294 [inline] _kmallocnodetrackcallernoprof+0x28b/0x4c0 mm/slub.c:4313 _kmemdupnul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobjectsetnamevargs+0x61/0x120 lib/kobject.c:274 devsetname+0xd5/0x120 drivers/base/core.c:3468 assignname drivers/infiniband/core/device.c:1202 [inline] ibregisterdevice+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net ---truncated---
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22085.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0d6460b9d2a3ee380940bdf47680751ef91cb88e
- https://git.kernel.org/stable/c/1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd
- https://git.kernel.org/stable/c/56ec8580be5174b2b9774066e60f1aad56d201db
- https://git.kernel.org/stable/c/edf6b543e81ba68c6dbac2499ab362098a5a9716
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22085.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-22085
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9cbed5aab5aeea420d0aa945733bf608449d44fbFixed0d6460b9d2a3ee380940bdf47680751ef91cb88eFixed56ec8580be5174b2b9774066e60f1aad56d201dbFixededf6b543e81ba68c6dbac2499ab362098a5a9716Fixed1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd