CVE-2025-39877
mm/damon/sysfs: fix use-after-free in state_show()
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: fix use-after-free in state_show()
state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock.
This allows a use-after-free race:
CPU 0 CPU 1
----- -----
state_show() damon_sysfs_turn_damon_on()
ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);
damon_destroy_ctx(kdamond->damon_ctx);
kdamond->damon_ctx = NULL;
mutex_unlock(&damon_sysfs_lock);
damon_is_running(ctx); /* ctx is freed */
mutex_lock(&ctx->kdamond_lock); /* UAF */
(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and
damon_sysfs_kdamond_release(), which free or replace the context under
damon_sysfs_lock.)
Fix by taking damon_sysfs_lock before dereferencing the context, mirroring
the locking used in pid_show().
The bug has existed since state_show() first accessed kdamond->damon_ctx.
Produtos afetados
Linux · LinuxQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4chttps://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cffhttps://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50ehttps://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58cehttps://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html