CVE-2025-37750
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
01/05/2025
Last modified:
06/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
smb: client: fix UAF in decryption with multichannel<br />
<br />
After commit f7025d861694 ("smb: client: allocate crypto only for<br />
primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in<br />
async decryption"), the channels started reusing AEAD TFM from primary<br />
channel to perform synchronous decryption, but that can&#39;t done as<br />
there could be multiple cifsd threads (one per channel) simultaneously<br />
accessing it to perform decryption.<br />
<br />
This fixes the following KASAN splat when running fstest generic/249<br />
with &#39;vers=3.1.1,multichannel,max_channels=4,seal&#39; against Windows<br />
Server 2022:<br />
<br />
BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110<br />
Read of size 8 at addr ffff8881046c18a0 by task cifsd/986<br />
CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1<br />
PREEMPT(voluntary)<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41<br />
04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x5d/0x80<br />
print_report+0x156/0x528<br />
? gf128mul_4k_lle+0xba/0x110<br />
? __virt_addr_valid+0x145/0x300<br />
? __phys_addr+0x46/0x90<br />
? gf128mul_4k_lle+0xba/0x110<br />
kasan_report+0xdf/0x1a0<br />
? gf128mul_4k_lle+0xba/0x110<br />
gf128mul_4k_lle+0xba/0x110<br />
ghash_update+0x189/0x210<br />
shash_ahash_update+0x295/0x370<br />
? __pfx_shash_ahash_update+0x10/0x10<br />
? __pfx_shash_ahash_update+0x10/0x10<br />
? __pfx_extract_iter_to_sg+0x10/0x10<br />
? ___kmalloc_large_node+0x10e/0x180<br />
? __asan_memset+0x23/0x50<br />
crypto_ahash_update+0x3c/0xc0<br />
gcm_hash_assoc_remain_continue+0x93/0xc0<br />
crypt_message+0xe09/0xec0 [cifs]<br />
? __pfx_crypt_message+0x10/0x10 [cifs]<br />
? _raw_spin_unlock+0x23/0x40<br />
? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]<br />
decrypt_raw_data+0x229/0x380 [cifs]<br />
? __pfx_decrypt_raw_data+0x10/0x10 [cifs]<br />
? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]<br />
smb3_receive_transform+0x837/0xc80 [cifs]<br />
? __pfx_smb3_receive_transform+0x10/0x10 [cifs]<br />
? __pfx___might_resched+0x10/0x10<br />
? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]<br />
cifs_demultiplex_thread+0x692/0x1570 [cifs]<br />
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]<br />
? rcu_is_watching+0x20/0x50<br />
? rcu_lockdep_current_cpu_online+0x62/0xb0<br />
? find_held_lock+0x32/0x90<br />
? kvm_sched_clock_read+0x11/0x20<br />
? local_clock_noinstr+0xd/0xd0<br />
? trace_irq_enable.constprop.0+0xa8/0xe0<br />
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]<br />
kthread+0x1fe/0x380<br />
? kthread+0x10f/0x380<br />
? __pfx_kthread+0x10/0x10<br />
? local_clock_noinstr+0xd/0xd0<br />
? ret_from_fork+0x1b/0x60<br />
? local_clock+0x15/0x30<br />
? lock_release+0x29b/0x390<br />
? rcu_is_watching+0x20/0x50<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x31/0x60<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork_asm+0x1a/0x30<br />
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.237 (including) | 5.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.181 (including) | 5.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.128 (including) | 6.2 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.57 (including) | 6.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.4 (including) | 6.12.24 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.14 (including) | 6.14.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page