Skip to content

Backport privilege escalation security fix for CVE-2025-39698 from linux 6.12.44 #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: msm8916/6.12.1
Choose a base branch
from
Open

Backport privilege escalation security fix for CVE-2025-39698 from linux 6.12.44 #416

wants to merge 1 commit into from

Conversation

GlebVerugin
Copy link

CVE link
Linux upstream commits:
d9f9317
d34c041
508c131
CVE announce

This pr tested on pmbootstrap compiling, and wileyfox swift booting up

@axboe @GlebVerugin
io_uring/futex: ensure io_futex_wait() cleans up properly on failure
63e8843 
commit 508c131 upstream.

The io_futex_data is allocated upfront and assigned to the io_kiocb
async_data field, but the request isn't marked with REQ_F_ASYNC_DATA
at that point. Those two should always go together, as the flag tells
io_uring whether the field is valid or not.

Additionally, on failure cleanup, the futex handler frees the data but
does not clear ->async_data. Clear the data and the flag in the error
path as well.

Thanks to Trend Micro Zero Day Initiative and particularly ReDress for
reporting this.

Cc: [email protected]
Fixes: 194bb58 ("io_uring: add support for futex wake and wait")
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GlebVerugin @axboe