CVE-2025-21652
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
19/01/2025
Last modified:
10/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipvlan: Fix use-after-free in ipvlan_get_iflink().<br />
<br />
syzbot presented an use-after-free report [0] regarding ipvlan and<br />
linkwatch.<br />
<br />
ipvlan does not hold a refcnt of the lower device unlike vlan and<br />
macvlan.<br />
<br />
If the linkwatch work is triggered for the ipvlan dev, the lower dev<br />
might have already been freed, resulting in UAF of ipvlan->phy_dev in<br />
ipvlan_get_iflink().<br />
<br />
We can delay the lower dev unregistration like vlan and macvlan by<br />
holding the lower dev&#39;s refcnt in dev->netdev_ops->ndo_init() and<br />
releasing it in dev->priv_destructor().<br />
<br />
Jakub pointed out calling .ndo_XXX after unregister_netdevice() has<br />
returned is error prone and suggested [1] addressing this UAF in the<br />
core by taking commit 750e51603395 ("net: avoid potential UAF in<br />
default_operstate()") further.<br />
<br />
Let&#39;s assume unregistering devices DOWN and use RCU protection in<br />
default_operstate() not to race with the device unregistration.<br />
<br />
[0]:<br />
BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353<br />
Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944<br />
<br />
CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47<br />
Hardware name: linux,dummy-virt (DT)<br />
Workqueue: events_unbound linkwatch_event<br />
Call trace:<br />
show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:378 [inline]<br />
print_report+0x16c/0x6f0 mm/kasan/report.c:489<br />
kasan_report+0xc0/0x120 mm/kasan/report.c:602<br />
__asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380<br />
ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353<br />
dev_get_iflink+0x7c/0xd8 net/core/dev.c:674<br />
default_operstate net/core/link_watch.c:45 [inline]<br />
rfc2863_policy+0x144/0x360 net/core/link_watch.c:72<br />
linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175<br />
__linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239<br />
linkwatch_event+0x64/0xa8 net/core/link_watch.c:282<br />
process_one_work+0x700/0x1398 kernel/workqueue.c:3229<br />
process_scheduled_works kernel/workqueue.c:3310 [inline]<br />
worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391<br />
kthread+0x2b0/0x360 kernel/kthread.c:389<br />
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862<br />
<br />
Allocated by task 9303:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x30/0x68 mm/kasan/common.c:68<br />
kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568<br />
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br />
__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394<br />
kasan_kmalloc include/linux/kasan.h:260 [inline]<br />
__do_kmalloc_node mm/slub.c:4283 [inline]<br />
__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289<br />
__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650<br />
alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209<br />
rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595<br />
rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771<br />
__rtnl_newlink net/core/rtnetlink.c:3896 [inline]<br />
rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011<br />
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901<br />
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542<br />
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br />
netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347<br />
netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891<br />
sock_sendmsg_nosec net/socket.c:711 [inline]<br />
__sock_sendmsg net/socket.c:726 [inline]<br />
__sys_sendto+0x2ec/0x438 net/socket.c:2197<br />
__do_sys_sendto net/socket.c:2204 [inline]<br />
__se_sys_sendto net/socket.c:2200 [inline]<br />
__arm64_sys_sendto+0xe4/0x110 net/socket.c:2200<br />
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br />
invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49<br />
el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132<br />
do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151<br />
el<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.72 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page