CVE-2025-21813 (GCVE-0-2025-21813)

Vulnerability from cvelistv5 – Published: 2025-02-27 20:04 – Updated: 2025-05-04 07:21
VLAI?
Title
timers/migration: Fix off-by-one root mis-connection
Summary
In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix off-by-one root mis-connection Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore. This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator. Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue: WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: <IRQ> ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt </IRQ> Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted. Also warn when more than one top level group exists to better detect similar issues in the future.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 12ead225b7996252a8bc1a49b03aad57c0794880 , < c6dd70e5b465a2b77c7a7c3d868736d302e29aec (git)
Affected: b729cc1ec21a5899b7879ccfbe1786664928d597 , < 6f449d8fa1808a7f9ee644866bbc079285dbefdd (git)
Affected: b729cc1ec21a5899b7879ccfbe1786664928d597 , < 868c9037df626b3c245ee26a290a03ae1f9f58d3 (git)
Create a notification for this product.
    Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer_migration.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c6dd70e5b465a2b77c7a7c3d868736d302e29aec",
              "status": "affected",
              "version": "12ead225b7996252a8bc1a49b03aad57c0794880",
              "versionType": "git"
            },
            {
              "lessThan": "6f449d8fa1808a7f9ee644866bbc079285dbefdd",
              "status": "affected",
              "version": "b729cc1ec21a5899b7879ccfbe1786664928d597",
              "versionType": "git"
            },
            {
              "lessThan": "868c9037df626b3c245ee26a290a03ae1f9f58d3",
              "status": "affected",
              "version": "b729cc1ec21a5899b7879ccfbe1786664928d597",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer_migration.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers/migration: Fix off-by-one root mis-connection\n\nBefore attaching a new root to the old root, the children counter of the\nnew root is checked to verify that only the upcoming CPU\u0027s top group have\nbeen connected to it. However since the recently added commit b729cc1ec21a\n(\"timers/migration: Fix another race between hotplug and idle entry/exit\")\nthis check is not valid anymore because the old root is pre-accounted\nas a child to the new root. Therefore after connecting the upcoming\nCPU\u0027s top group to the new root, the children count to be expected must\nbe 2 and not 1 anymore.\n\nThis omission results in the old root to not be connected to the new\nroot. Then eventually the system may run with more than one top level,\nwhich defeats the purpose of a single idle migrator.\n\nAlso the old root is pre-accounted but not connected upon the new root\ncreation. But it can be connected to the new root later on. Therefore\nthe old root may be accounted twice to the new root. The propagation of\nsuch overcommit can end up creating a double final top-level root with a\ngroupmask incorrectly initialized. Although harmless given that the final\ntop level roots will never have a parent to walk up to, this oddity\nopportunistically reported the core issue:\n\n  WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote\n  CPU: 8 UID: 0 PID: 0 Comm: swapper/8\n  RIP: 0010:tmigr_requires_handle_remote\n  Call Trace:\n   \u003cIRQ\u003e\n   ? tmigr_requires_handle_remote\n   ? hrtimer_run_queues\n   update_process_times\n   tick_periodic\n   tick_handle_periodic\n   __sysvec_apic_timer_interrupt\n   sysvec_apic_timer_interrupt\n  \u003c/IRQ\u003e\n\nFix the problem by taking the old root into account in the children count\nof the new root so the connection is not omitted.\n\nAlso warn when more than one top level group exists to better detect\nsimilar issues in the future."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:43.981Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3"
        }
      ],
      "title": "timers/migration: Fix off-by-one root mis-connection",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21813",
    "datePublished": "2025-02-27T20:04:13.433Z",
    "dateReserved": "2024-12-29T08:45:45.774Z",
    "dateUpdated": "2025-05-04T07:21:43.981Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21813\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T20:16:03.883\",\"lastModified\":\"2025-10-28T02:54:59.480\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntimers/migration: Fix off-by-one root mis-connection\\n\\nBefore attaching a new root to the old root, the children counter of the\\nnew root is checked to verify that only the upcoming CPU\u0027s top group have\\nbeen connected to it. However since the recently added commit b729cc1ec21a\\n(\\\"timers/migration: Fix another race between hotplug and idle entry/exit\\\")\\nthis check is not valid anymore because the old root is pre-accounted\\nas a child to the new root. Therefore after connecting the upcoming\\nCPU\u0027s top group to the new root, the children count to be expected must\\nbe 2 and not 1 anymore.\\n\\nThis omission results in the old root to not be connected to the new\\nroot. Then eventually the system may run with more than one top level,\\nwhich defeats the purpose of a single idle migrator.\\n\\nAlso the old root is pre-accounted but not connected upon the new root\\ncreation. But it can be connected to the new root later on. Therefore\\nthe old root may be accounted twice to the new root. The propagation of\\nsuch overcommit can end up creating a double final top-level root with a\\ngroupmask incorrectly initialized. Although harmless given that the final\\ntop level roots will never have a parent to walk up to, this oddity\\nopportunistically reported the core issue:\\n\\n  WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote\\n  CPU: 8 UID: 0 PID: 0 Comm: swapper/8\\n  RIP: 0010:tmigr_requires_handle_remote\\n  Call Trace:\\n   \u003cIRQ\u003e\\n   ? tmigr_requires_handle_remote\\n   ? hrtimer_run_queues\\n   update_process_times\\n   tick_periodic\\n   tick_handle_periodic\\n   __sysvec_apic_timer_interrupt\\n   sysvec_apic_timer_interrupt\\n  \u003c/IRQ\u003e\\n\\nFix the problem by taking the old root into account in the children count\\nof the new root so the connection is not omitted.\\n\\nAlso warn when more than one top level group exists to better detect\\nsimilar issues in the future.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: timers/migration: Fix another race between hotplug and idle entry/exit (temporizadores/migraci\u00f3n: Arreglar otra ejecuci\u00f3n entre hotplug y entrada/salida inactiva) Antes de adjuntar una nueva ra\u00edz a la ra\u00edz anterior, se comprueba el contador de hijos de la nueva ra\u00edz para verificar que solo el grupo superior de la pr\u00f3xima CPU se haya conectado a ella. Sin embargo, desde el commit b729cc1ec21a agregada recientemente (\\\"timers/migration: Fix another race between hotplug and idle entry/exit\\\"), esta comprobaci\u00f3n ya no es v\u00e1lida porque la ra\u00edz anterior se contabiliza previamente como un hijo de la nueva ra\u00edz. Por lo tanto, despu\u00e9s de conectar el grupo superior de la pr\u00f3xima CPU a la nueva ra\u00edz, el recuento de hijos que se espera debe ser 2 y no 1. Esta omisi\u00f3n da como resultado que la ra\u00edz anterior no se conecte a la nueva ra\u00edz. Luego, eventualmente, el sistema puede ejecutarse con m\u00e1s de un nivel superior, lo que frustra el prop\u00f3sito de un solo migrador inactivo. Adem\u00e1s, la ra\u00edz anterior se contabiliza previamente pero no se conecta al momento de la creaci\u00f3n de la nueva ra\u00edz. Pero se puede conectar a la nueva ra\u00edz m\u00e1s adelante. Por lo tanto, la ra\u00edz antigua puede contabilizarse dos veces para la nueva ra\u00edz. La propagaci\u00f3n de dicha sobreasignaci\u00f3n puede terminar creando una ra\u00edz de nivel superior final doble con una m\u00e1scara de grupo inicializada incorrectamente. Aunque es inofensiva dado que las ra\u00edces de nivel superior finales nunca tendr\u00e1n un padre al que llegar, esta rareza inform\u00f3 oportunistamente el problema principal: ADVERTENCIA: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace:  ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt  Solucione el problema teniendo en cuenta la ra\u00edz antigua en el recuento de hijos de la nueva ra\u00edz para que no se omita la conexi\u00f3n. Tambi\u00e9n advierta cuando exista m\u00e1s de un grupo de nivel superior para detectar mejor problemas similares en el futuro.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-193\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.11\",\"versionEndExcluding\":\"6.12.14\",\"matchCriteriaId\":\"025396BC-7DE1-42A8-B0FD-73C6932699C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13.1\",\"versionEndExcluding\":\"6.13.3\",\"matchCriteriaId\":\"6F2280A3-25EA-474E-A52E-C24AE65A2B00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A3F9505-6B98-4269-8B81-127E55A1BF00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.