摘要:
In the Linux kernel, the following vulnerability has been resolved:
keys: Fix UAF in key_put()
Once a key's reference count has been reduced to 0, the garbage collector
thread may destroy it at any time and so key_put() is not allowed to touch
the key after that point. The most key_put() is normally allowed to do is
to touch key_gc_work as that's a static global variable.
However, in an effort to speed up the reclamation of quota, this is now
done in key_put() once the key's usage is reduced to 0 - but now the code
is looking at the key after the deadline, which is forbidden.
Fix this by using a flag to indicate that a key can be gc'd now rather than
looking at the key's refcount in the garbage collector.
安全等级: Low
公告ID: KylinSec-SA-2025-2356
发布日期: 2025年4月20日
关联CVE: CVE-2025-21893
在 Linux 内核中,以下漏洞已被修复:
keys: 修复 key_put() 中的 UAF 问题
当键(key)的引用计数降至 0 后,垃圾回收线程可能随时销毁该键,因此 key_put() 不允许在此之后访问该键。通常 key_put() 最多只能访问 key_gc_work,因为这是一个静态全局变量。
然而,为了加速配额的回收,现在当键的使用计数降至 0 时,会在 key_put() 中执行此操作 - 但现在代码会在截止时间后查看键,这是被禁止的。
通过使用标志来指示键现在可以被垃圾回收,而不是在垃圾回收器中查看键的引用计数,修复了此问题。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-21893 | KY3.4-5 | kernel | Unaffected |
| CVE-2025-21893 | V6 | kernel | Unaffected |
