DEBIAN-CVE-2025-40214

In the Linux kernel, the following vulnerability has been resolved: afunix: Initialise sccindex in unixaddedge(). Quang Le reported that the AFUNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unixunvisitedvertices, and unixwalkscc() groups them into two different SCCs: unixsk(sk-A)->vertex->sccindex = 2 (UNIXVERTEXINDEXSTART) unixsk(sk-X)->vertex->sccindex = 3 Once GC completes, unixgraphgrouped is set to true. Also, unixgraphmaybecyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unixaddedge() allocates unixsk(sk-B)->vertex and links it to unixunvisitedvertices. unixupdategraph() is called at 3-a. and 3-b., but neither unixgraphgrouped nor unixgraphmaybecyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unixgraphgrouped is true at 3-d, unixwalksccfast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unixvertexdead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unixsk(sk-A)->sccindex == unixsk(sk-B)->sccindex <-- Wrong! && sk-A's file refcnt == unixsk(sk-A)->vertex->outdegree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unixaddedge() does not initialise sccindex. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->sccindex == 2 (UNIXVERTEXINDEXSTART) set by unixwalkscc() at 1-c. Let's track the max SCC index from the previous unixwalkscc() call and assign the max + 1 to a new vertex's sccindex. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.