[CBR 7.9] CVE-2025-21786 #409
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The "draft" status is only to prevent accidental merge, the PR is ready for review. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[CBR 7.9]
CVE-2025-21786
VULN-54089
Problem
https://access.redhat.com/security/cve/CVE-2025-21786
Applicability: no
As it was explained in the analysis of the CVE-2025-21786's fix in #406, the key to avoiding the use-after-free condition was reordering the calls of
put_pwq(…)andworker_detach_from_pool(…). As long asput_pwq(…)occured beforeworker_detach_from_pool(…)it was possible for the work pool to reach 0 ref counts and be destroyed by RCU mechanism beforeworker_detach_from_pool(…)call that required the pool to still be present. Inciqcbr7_9however, theworker_detach_from_pool(…)call doesn't even exist yet. The pool attachment / detachment scheme was introduced in 51697d3, which is missing fromciqcbr7_9's history. This means that CBR 7.9 not only doesn't contain the code introducing the bug (68f8305), but even the code which this bug would require to manifest. Unlike theworker_attach_to_pool(…)/worker_detach_from_pool(…)scheme, the synchronization mechanism used before - theworker_maybe_bind_and_lock(…)function - does not follow similar "attach" / "detach" scheme, so it's hard to even pinpoint theworker_detach_from_pool(…)analogue and evaluate whether it follows proper ordering in relation toput_pwq(…).Taking this into account it was assessed that CVE-2025-21786 does not apply to CBR 7.9.