IM
IronMonkey Threat Research

CVE-2025-21701 HIGH

Published: 2025-02-13 | Last Modified: 2026-05-12 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found.

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: evitar la ejecución entre la anulación del registro del dispositivo y las operaciones ethnl. El siguiente rastro se puede ver si se anula el registro de un dispositivo mientras se modifica su número de canales. DEBUG_LOCKS_WARN_ON(lock-&gt;magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e. Esto se debe a que unregister_netdevice_many_notify podría ejecutarse antes de la sección de bloqueo rtnl de las operaciones ethnl, por ejemplo, set_channels en el ejemplo anterior. En este ejemplo, el bloqueo de rss se destruiría por la ruta de anulación del registro del dispositivo antes de volver a usarse, pero en general, ejecutar operaciones ethnl mientras se ha iniciado el desmantelamiento no es una buena idea. Solucione esto denegando cualquier operación en los dispositivos que se van a anular el registro. Ya había una comprobación en ethnl_ops_begin, pero no lo suficientemente amplia. Tenga en cuenta que no se puede ver el mismo problema en la versión ioctl (__dev_ethtool) porque la referencia del dispositivo se recupera desde dentro de la sección de bloqueo rtnl allí. Una vez que se inicia el desmantelamiento, el dispositivo de red no aparece en la lista y no se encontrará ninguna referencia.

CVSS Metrics

Base Score: 4.7 (MEDIUM)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.0

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-362
134c704f-9b21-4f2e-91b3-4a467353bcc0 Secondary
en CWE-362

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bcf80> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bde00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bc940> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bedc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9be300> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bd900> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702bdd9bf240> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702b50164cc0> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702bdd9be640> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702bdd9bf9c0> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702b50164680> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*

References

Notification
Message here