CVE-2025-21664: Resolving Linux Kernel Vulnerability in dm thin with RCU-safe List Function

In the Linux kernel, an important vulnerability has been resolved in the dm thin provisioning code. The security fix involves making the get_first_thin function use the RCU-safe list first function, which resolves the issue of relying on a list_empty() -> list_first() sequence in RCU safe code. This blog post will detail the original problem, include a code snippet, provide links to original references, and explain the exploit details.

Problem Description

The vulnerability was found in the dm thin code (Device Mapper thin provisioning target) that allows creating thinly provisioned volumes. This vulnerability could lead to kernel crashes in certain situations. The code was using the list_empty() and list_first() functions in a sequence which can lead to problems in RCU safe code. The list_empty() can return a valid list entry, but the subsequent list_first() can see a different view of the list head state after a modification, leading to crashes.

This issue was observed in a production environment resulting in a GP fault in the process_deferred_bios path. The kernel printed a warning about a refcount_t being saturated and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock before the fault.

Exploit Details

The issue was caused by the thin_dtr call being able to pull the thin_c out of the active thins list and end up being the last entry in the active_thins list at justthe wrong moment, leading to the crash. The crash occurred when another thread waswaiting in the thin_dtr's synchronize_rcu.

The Fix

To resolve this issue, the get_first_thin() function was switched to use list_first_or_null_rcu() which only performs a single READ_ONCE() and returns NULL if the list is already empty. This change makes the code RCU safe and avoids the crash scenarios observed earlier.

Here is the code snippet for the fix

static struct thin_c *get_first_thin(struct pool *pool)
{
    return list_first_or_null_rcu(&pool->active_thins, struct thin_c, list);
}

This fix was tested against the devicemapper test suite's thin-provisioning suites for delete and suspend, and no regressions were observed.

Original References

1. The original patch submitted to resolve this issue can be found here.
2. The Linux kernel source code, where the vulnerability was found and fixed, can be accessed here.

Conclusion

In conclusion, the Linux kernel vulnerability identified by CVE-2025-21664 has been resolved by utilizing the RCU-safe list function in the dm thin code. This security fix prevents kernel crashes, ensuring smoother operations and improved security for Linux systems utilizing dm thin. Users are recommended to update their Linux kernel to the latest version which includes this fix.

Timeline

Published on: 01/21/2025 13:15:10 UTC
Last modified on: 02/02/2025 11:15:15 UTC