{ "threat_severity" : "Moderate", "public_date" : "2025-04-16T00:00:00Z", "bugzilla" : { "description" : "kernel: RDMA/core: Don't expose hw_counters outside of init net namespace", "id" : "2360195", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360195" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/core: Don't expose hw_counters outside of init net namespace\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn't expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756] \n[42021.953842] [] ? show_regs+0x64/0x70\n[42021.959030] [] ? __die+0x78/0xc0\n[42021.963874] [] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749] [] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549] [] ? asm_exc_page_fault+0x26/0x30\n[42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438] [] dev_attr_show+0x1e/0x50\n[42022.000803] [] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508] [] seq_read_iter+0xf4/0x410\n[42022.011954] [] vfs_read+0x16e/0x2f0\n[42022.017058] [] ksys_read+0x6e/0xe0\n[42022.022073] [] do_syscall_64+0x6a/0xa0\n[42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2\nThe problem can be reproduced using the following steps:\nip netns add foo\nip netns exec foo bash\ncat /sys/class/infiniband/mlx4_0/hw_counters/*\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\nfind /sys/class/infiniband/mlx4_0/ -name hw_counters\n/sys/class/infiniband/mlx4_0/ports/1/hw_counters\n/sys/class/infiniband/mlx4_0/ports/2/hw_counters\n/sys/class/infiniband/mlx4_0/hw_counters\nip netns add foo\nip netns exec foo bash\nfind /sys/class/infiniband/mlx4_0/ -name hw_counters" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22089\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22089\nhttps://lore.kernel.org/linux-cve-announce/2025041616-CVE-2025-22089-16fd@gregkh/T" ], "name" : "CVE-2025-22089", "csaw" : false }