2.1 KiB
CVE-2025-23138
Description
In the Linux kernel, the following vulnerability has been resolved:watch_queue: fix pipe accounting mismatchCurrently, watch_queue_set_size() modifies the pipe buffers charged touser->pipe_bufs without updating the pipe->nr_accounted on the pipeitself, due to the if (!pipe_has_watch_queue()) test inpipe_resize_ring(). This means that when the pipe is ultimately freed,we decrement user->pipe_bufs by something other than what than we hadcharged to it, potentially leading to an underflow. This in turn cancause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.To remedy this, explicitly account for the pipe usage inwatch_queue_set_size() to match the number set via account_pipe_buffers()(It's unclear why watch_queue_set_size() does not update nr_accounted;it may be due to intentional overprovisioning in watch_queue_set_size()?)
POC
Reference
No PoCs from references.