CVE-2025-21858

一、漏洞信息
 漏洞编号：[CVE-2025-21858](https://nvd.nist.gov/vuln/detail/CVE-2025-21858)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：7.8 High
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:geneve: Fix use-after-free in geneve_find_dev().syzkaller reported a use-after-free in geneve_find_dev() [0]without repro.geneve_configure() links struct geneve_dev.next tonet_generic(net, geneve_net_id)->geneve_list.The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finallycalls unregister_netdevice_queue() for each dev in the netns,and later the dev is freed.However, its geneve_dev.next is still linked to the backend UDPsocket netns.Then, use-after-free will occur when another geneve dev is createdin the netns.Let s call geneve_dellink() instead in geneve_destroy_tunnels().[0]:BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3dHardware name: linux,dummy-virt (DT)Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n---truncated---
 漏洞公开时间：2025-03-12 18:15:18
 漏洞创建时间：2025-03-12 18:28:37
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-21858
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-21858 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2025-21858 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3 | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2025/CVE-2025-21858.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1239468 |
| mageia |  | http://advisories.mageia.org/MGASA-2025-0111.html |
| osv | https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316 | https://osv.dev/vulnerability/CVE-2025-21858 |
| osv | https://security-tracker.debian.org/tracker/CVE-2025-21858 | https://osv.dev/vulnerability/CVE-2025-21858 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf |  | nvd |
|  |  | https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c |  | nvd |
|  |  | https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283 |  | nvd |
|  |  | https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78 |  | nvd |
|  |  | https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929 |  | nvd |
|  |  | https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886 |  | nvd |
|  |  | https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3 |  | nvd |
|  |  | https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316 |  | nvd |
| linux_kernel | 6.1.130 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=904e746b2e7fa952ab8801b303ce826a63153d78Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d07dc79fe04a43d82a346ced6bbf07bdb523f1b | linuxkernelcves |
| linux_kernel | 6.6.80 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3ce92ca990cfac88a87c61df3cc0b5880e688ecfIssue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d07dc79fe04a43d82a346ced6bbf07bdb523f1b | linuxkernelcves |
| linux_kernel | 6.12.17 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=da9b0ae47f084014b1e4b3f31f70a0defd047ff3Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d07dc79fe04a43d82a346ced6bbf07bdb523f1b | linuxkernelcves |
| linux_kernel | 6.13.5 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=788dbca056a8783ec063da3c9d49a3a71c76c283Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d07dc79fe04a43d82a346ced6bbf07bdb523f1b | linuxkernelcves |
| linux_kernel | 6.14-rc4 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9593172d93b9f91c362baec4643003dc29802929Please | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d07dc79fe04a43d82a346ced6bbf07bdb523f1b | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:geneve: Fix use-after-free in geneve_find_dev().syzkaller reported a use-after-free in geneve_find_dev() [0]without repro.geneve_configure() links struct geneve_dev.next tonet_generic(net, geneve_net_id)->geneve_list.The net here could differ from dev_net(dev) if IFLA_NET_NS_PID,IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finallycalls unregister_netdevice_queue() for each dev in the netns,and later the dev is freed.However, its geneve_dev.next is still linked to the backend UDPsocket netns.Then, use-after-free will occur when another geneve dev is createdin the netns.Let s call geneve_dellink() instead in geneve_destroy_tunnels().[0]:BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3dHardware name: linux,dummy-virt (DT)Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n---truncated---
 openEuler评分：
  7.8
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.openEuler-24.03-LTS-SP2(6.6.0):受影响
7.master(6.6.0):不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP3(5.10.0):否
3.master(6.6.0):否
4.openEuler-24.03-LTS(6.6.0):否
5.openEuler-24.03-LTS-Next(6.6.0):否
6.openEuler-22.03-LTS-SP4(5.10.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-20.03-LTS-SP4(4.19.90):正常修复
2.openEuler-22.03-LTS-SP3(5.10.0):正常修复
3.openEuler-22.03-LTS-SP4(5.10.0):正常修复
4.openEuler-24.03-LTS(6.6.0):正常修复
5.openEuler-24.03-LTS-SP1(6.6.0):正常修复
6.openEuler-24.03-LTS-SP2(6.6.0):正常修复
7.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发

src-openEuler/kernel

内容风险标识

评论 (18)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2025-21858

评论 (18)

搜索帮助

src-openEuler/kernel