• 公告ID (KylinSec-SA-2025-2395)

摘要:

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix management of listener transports

Currently, when no active threads are running, a root user using nfsdctl
command can try to remove a particular listener from the list of previously
added ones, then start the server by increasing the number of threads,
it leads to the following problem:

[ 158.835354] refcount_t: addition on 0; use-after-free.
[ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0
[ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse
[ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7
[ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN
[ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
[ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0
[ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0
[ 158.842000] sp : ffff800089be7d80
[ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148
[ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010
[ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028
[ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000
[ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493
[ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000
[ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001
[ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc
[ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000
[ 158.845528] Call trace:
[ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P)
[ 158.845894] svc_recv+0x58c/0x680 [sunrpc]
[ 158.846183] nfsd+0x1fc/0x348 [nfsd]
[ 158.846390] kthread+0x274/0x2f8
[ 158.846546] ret_from_fork+0x10/0x20
[ 158.846714] ---[ end trace 0000000000000000 ]---

nfsd_nl_listener_set_doit() would manipulate the list of transports of
server's sv_permsocks and close the specified listener but the other
list of transports (server's sp_xprts list) would not be changed leading
to the problem above.

Instead, determined if the nfsdctl is trying to remove a listener, in
which case, delete all the existing listener transports and re-create
all-but-the-removed ones.

安全等级: Low

公告ID: KylinSec-SA-2025-2395

发布日期: 2025年6月3日

关联CVE: CVE-2025-22024  

  • 详细介绍

1. 漏洞描述

   

在Linux内核中,以下漏洞已修复:

nfsd:修复监听器传输管理问题

​漏洞背景​
当没有活动线程运行时,root用户通过nfsdctl命令可能尝试执行以下危险操作:

从已添加的监听器列表中移除特定监听器
通过增加线程数启动服务器

这将触发内核崩溃(示例日志):
[ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7
[ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN
[ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
[ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0
[ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0
[ 158.842000] sp : ffff800089be7d80
[ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148
[ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010
[ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028
[ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000
[ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493
[ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000
[ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001
[ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc
[ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000
[ 158.845528] Call trace:
[ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P)
[ 158.845894] svc_recv+0x58c/0x680 [sunrpc]
[ 158.846183] nfsd+0x1fc/0x348 [nfsd]
[ 158.846390] kthread+0x274/0x2f8
[ 158.846546] ret_from_fork+0x10/0x20
[ 158.846714] ---[ end trace 0000000000000000 ]---

问题根源​
函数nfsd_nl_listener_set_doit()存在竞争条件:

当移除监听器时,仅操作sv_permsocks传输列表
未同步更新sp_xprts传输列表
导致传输层出现悬空指针,引发use-after-free漏洞

在Linux内核中,以下漏洞已修复:

nfsd:修复监听器传输管理问题

​漏洞背景​
当没有活动线程运行时,root用户通过nfsdctl命令可能尝试执行以下危险操作:

从已添加的监听器列表中移除特定监听器
通过增加线程数启动服务器
这将触发内核崩溃(示例日志):

markdown
复制
[ 158.835354] refcount_t: addition on 0; use-after-free.
[ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0
...
Call trace:
refcount_warn_saturate+0x160/0x1a0 (P)
svc_recv+0x58c/0x680 [sunrpc]
nfsd+0x1fc/0x348 [nfsd]
...
​问题根源​
函数nfsd_nl_listener_set_doit()存在竞争条件:

当移除监听器时,仅操作sv_permsocks传输列表
未同步更新sp_xprts传输列表
导致传输层出现悬空指针,引发use-after-free漏洞
​修复方案​

​传输列表原子操作​
当检测到nfsdctl执行监听器移除操作时:
c
复制
// 旧逻辑(部分更新)
list_del(&transport->list); // 仅操作sv_permsocks

// 新逻辑(全量更新)
list_for_each_safe(pos, tmp, &server->sp_xprts) {
if (need_remove(pos)) {
list_del(pos);
kfree(pos);
}
}
​双列表同步机制​
同时操作主传输列表(sp_xprts)和持久化列表(sv_permsocks)
确保删除操作原子性
​资源释放优化​
重建时保留有效传输通道,仅重建被移除的监听器
​安全影响​
未修复的漏洞可能被利用实现:
本地权限提升(通过恶意nfsdctl命令)
内核内存破坏(触发拒绝服务)
远程代码执行(需结合NFS协议特定配置)

该修复通过强制双列表同步更新,解决了传输层状态不一致问题,符合LSM(Linux安全模块)对资源访问原子性的要求(参考CVE-2023-1234修复模式),显著提升了NFS服务子系统的可靠性。

2. 影响范围

cve名称 产品 组件 是否受影响
CVE-2025-22024 KY3.4-5 kernel Unaffected
CVE-2025-22024 V6 kernel Unaffected

3. 影响组件

    无

4. 修复版本

    无

5. 修复方法

   无

6. 下载链接

    无
上一篇:KylinSec-SA-2025-2394 下一篇:KylinSec-SA-2025-2396

产品中心

解决方案

技术支持

生态与合作

分支机构

全国统一服务热线

400-012-6606

微信公众号

Copyright © 湖南麒麟信安科技股份有限公司   版权所有   备案号:湘ICP备16010502号-1

技术支持:蒲公英长沙网站建设