CVE-2025-37772

一、漏洞信息
 漏洞编号：[CVE-2025-37772](https://nvd.nist.gov/vuln/detail/CVE-2025-37772)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:RDMA/cma: Fix workqueue crash in cma_netevent_work_handlerstruct rdma_cm_id has member  struct work_struct net_work that is reused for enqueuing cma_netevent_work_handler()sonto cma_wq.Below crash[1] can occur if more than one call tocma_netevent_callback() occurs in quick succession,which further enqueues cma_netevent_work_handler()s for thesame rdma_cm_id, overwriting any previously queued work-item(s)that was just scheduled to run i.e. there is no guaranteethe queued work item may run between two successive callsto cma_netevent_callback() and the 2nd INIT_WORK would overwritethe 1st work item (for the same rdma_cm_id), despite grabbingid_table_lock during enqueue.Also drgn analysis [2] indicates the work item was likely overwritten.Fix this by moving the INIT_WORK() to __rdma_create_id(),so that it doesn t race with any existing queue_work() orits worker thread.[1] Trimmed crash stack:=============================================BUG: kernel NULL pointer dereference, address: 0000000000000008kworker/u256:6 ... 6.12.0-0...Workqueue:  cma_netevent_work_handler [rdma_cm] (rdma_cm)RIP: 0010:process_one_work+0xba/0x31aCall Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30=============================================[2] drgn crash analysis:>>> trace = prog.crashed_thread().stack_trace()>>> trace(0)  crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)(1)  __crash_kexec (kernel/crash_core.c:122:4)(2)  panic (kernel/panic.c:399:3)(3)  oops_end (arch/x86/kernel/dumpstack.c:382:3)...(8)  process_one_work (kernel/workqueue.c:3168:2)(9)  process_scheduled_works (kernel/workqueue.c:3310:3)(10) worker_thread (kernel/workqueue.c:3391:4)(11) kthread (kernel/kthread.c:389:9)Line workqueue.c:3168 for this kernel version is in process_one_work():3168	strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);>>> trace[8][ work ]*(struct work_struct *)0xffff92577d0a21d8 = {	.data = (atomic_long_t){		.counter = (s64)536870912,    <=== Note	},	.entry = (struct list_head){		.next = (struct list_head *)0xffff924d075924c0,		.prev = (struct list_head *)0xffff924d075924c0,	},	.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,}Suspicion is that pwq is NULL:>>> trace[8][ pwq ](struct pool_workqueue *)<absent>In process_one_work(), pwq is assigned from:struct pool_workqueue *pwq = get_work_pwq(work);and get_work_pwq() is:static struct pool_workqueue *get_work_pwq(struct work_struct *work){ 	unsigned long data = atomic_long_read(&work->data); 	if (data & WORK_STRUCT_PWQ) 		return work_struct_pwq(data); 	else 		return NULL;}WORK_STRUCT_PWQ is 0x4:>>> print(repr(prog[ WORK_STRUCT_PWQ ]))Object(prog,  enum work_flags , value=4)But work->data is 536870912 which is 0x20000000.So, get_work_pwq() returns NULL and we crash in process_one_work():3168	strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);=============================================
 漏洞公开时间：2025-05-01 22:15:40
 漏洞创建时间：2025-05-01 22:44:23
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-37772
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-37772 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2025/CVE-2025-37772.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/stable/c/51003b2c872c63d28bcf5fbcc52cf7b05615f7b7 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/stable/c/c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/stable/c/d23fd7a539ac078df119707110686a5b226ee3bb | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/stable/c/b172a4a0de254f1fcce7591833a9a63547c2f447 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://git.kernel.org/stable/c/45f5dcdd049719fb999393b30679605f16ebce14 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2025-37772 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2363273 | https://bugzilla.suse.com/show_bug.cgi?id=1242563 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2025-37772 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:RDMA/cma: Fix workqueue crash in cma_netevent_work_handlerstruct rdma_cm_id has member &#34;struct work_struct net_work&#34;that is reused for enqueuing cma_netevent_work_handler()sonto cma_wq.Below crash[1] can occur if more than one call tocma_netevent_callback() occurs in quick succession,which further enqueues cma_netevent_work_handler()s for thesame rdma_cm_id, overwriting any previously queued work-item(s)that was just scheduled to run i.e. there is no guaranteethe queued work item may run between two successive callsto cma_netevent_callback() and the 2nd INIT_WORK would overwritethe 1st work item (for the same rdma_cm_id), despite grabbingid_table_lock during enqueue.Also drgn analysis [2] indicates the work item was likely overwritten.Fix this by moving the INIT_WORK() to __rdma_create_id(),so that it doesn&#39;t race with any existing queue_work() orits worker thread.[1] Trimmed crash stack:=============================================BUG: kernel NULL pointer dereference, address: 0000000000000008kworker/u256:6 ... 6.12.0-0...Workqueue:  cma_netevent_work_handler [rdma_cm] (rdma_cm)RIP: 0010:process_one_work+0xba/0x31aCall Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30=============================================[2] drgn crash analysis:<spanclass= q >&gt;&gt;&gt; trace = prog.crashed_thread().stack_trace()&gt;&gt;&gt; trace</span>(0)  crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)(1)  __crash_kexec (kernel/crash_core.c:122:4)(2)  panic (kernel/panic.c:399:3)(3)  oops_end (arch/x86/kernel/dumpstack.c:382:3)...(8)  process_one_work (kernel/workqueue.c:3168:2)(9)  process_scheduled_works (kernel/workqueue.c:3310:3)(10) worker_thread (kernel/workqueue.c:3391:4)(11) kthread (kernel/kthread.c:389:9)Line workqueue.c:3168 for this kernel version is in process_one_work():3168strscpy(worker-&gt;desc, pwq-&gt;wq-&gt;name, WORKER_DESC_LEN);<spanclass= q >&gt;&gt;&gt; trace[8][&#34;work&#34;]</span>*(struct work_struct *)0xffff92577d0a21d8 = {.data = (atomic_long_t){.counter = (s64)536870912,    &lt;=== Note},.entry = (struct list_head){.next = (struct list_head *)0xffff924d075924c0,.prev = (struct list_head *)0xffff924d075924c0,},.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,}Suspicion is that pwq is NULL:<spanclass= q >&gt;&gt;&gt; trace[8][&#34;pwq&#34;]</span>(struct pool_workqueue *)&lt;absent&gt;In process_one_work(), pwq is assigned from:struct pool_workqueue *pwq = get_work_pwq(work);and get_work_pwq() is:static struct pool_workqueue *get_work_pwq(struct work_struct *work){ unsigned long data = atomic_long_read(&#38;work-&gt;data); if (data &#38; WORK_STRUCT_PWQ) return work_struct_pwq(data); else return NULL;}WORK_STRUCT_PWQ is 0x4:<spanclass= q >&gt;&gt;&gt; print(repr(prog[&#39;WORK_STRUCT_PWQ&#39;]))</span>Object(prog, &#39;enum work_flags&#39;, value=4)But work-&gt;data is 536870912 which is 0x20000000.So, get_work_pwq() returns NULL and we crash in process_one_work():3168strscpy(worker-&gt;desc, pwq-&gt;wq-&gt;name, WORKER_DESC_LEN);=============================================The Linux kernel CVE team has assigned CVE-2025-37772 to this issue.
 openEuler评分：
  4.8
 Vector：CVSS：3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-24.03-LTS-SP1(6.6.0):受影响
3.openEuler-24.03-LTS-SP2(6.6.0):受影响
4.master(6.12.33):不受影响
5.openEuler-20.03-LTS-SP4(4.19.90):不受影响
6.openEuler-22.03-LTS-SP3:不受影响
7.openEuler-22.03-LTS-SP4:不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.master(6.12.33):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3:否
4.openEuler-22.03-LTS-SP4:否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):正常修复
2.openEuler-24.03-LTS-SP1(6.6.0):正常修复
3.openEuler-24.03-LTS-SP2(6.6.0):正常修复
4.master(6.12.33):不受影响-漏洞代码不能被攻击者触发
5.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
6.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP3:不受影响-漏洞代码不存在
8.openEuler-22.03-LTS-SP4:不受影响-漏洞代码不存在

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-2122

src-openEuler/kernel
Closed

Content Risk Flag

Comments (7)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2025-37772

Comments (7)

Search

src-openEuler/kernel
Closed