CVE-2025-38051
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
smb: client: Fix use-after-free in cifs_fill_dirent<br />
<br />
There is a race condition in the readdir concurrency process, which may<br />
access the rsp buffer after it has been released, triggering the<br />
following KASAN warning.<br />
<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]<br />
Read of size 4 at addr ffff8880099b819c by task a.out/342975<br />
<br />
CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x53/0x70<br />
print_report+0xce/0x640<br />
kasan_report+0xb8/0xf0<br />
cifs_fill_dirent+0xb03/0xb60 [cifs]<br />
cifs_readdir+0x12cb/0x3190 [cifs]<br />
iterate_dir+0x1a1/0x520<br />
__x64_sys_getdents+0x134/0x220<br />
do_syscall_64+0x4b/0x110<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
RIP: 0033:0x7f996f64b9f9<br />
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89<br />
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01<br />
f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8<br />
RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e<br />
RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003<br />
RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88<br />
R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000<br />
<br />
<br />
Allocated by task 408:<br />
kasan_save_stack+0x20/0x40<br />
kasan_save_track+0x14/0x30<br />
__kasan_slab_alloc+0x6e/0x70<br />
kmem_cache_alloc_noprof+0x117/0x3d0<br />
mempool_alloc_noprof+0xf2/0x2c0<br />
cifs_buf_get+0x36/0x80 [cifs]<br />
allocate_buffers+0x1d2/0x330 [cifs]<br />
cifs_demultiplex_thread+0x22b/0x2690 [cifs]<br />
kthread+0x394/0x720<br />
ret_from_fork+0x34/0x70<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
Freed by task 342979:<br />
kasan_save_stack+0x20/0x40<br />
kasan_save_track+0x14/0x30<br />
kasan_save_free_info+0x3b/0x60<br />
__kasan_slab_free+0x37/0x50<br />
kmem_cache_free+0x2b8/0x500<br />
cifs_buf_release+0x3c/0x70 [cifs]<br />
cifs_readdir+0x1c97/0x3190 [cifs]<br />
iterate_dir+0x1a1/0x520<br />
__x64_sys_getdents64+0x134/0x220<br />
do_syscall_64+0x4b/0x110<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
The buggy address belongs to the object at ffff8880099b8000<br />
which belongs to the cache cifs_request of size 16588<br />
The buggy address is located 412 bytes inside of<br />
freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)<br />
<br />
The buggy address belongs to the physical page:<br />
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8<br />
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br />
anon flags: 0x80000000000040(head|node=0|zone=1)<br />
page_type: f5(slab)<br />
raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001<br />
raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000<br />
head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001<br />
head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000<br />
head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff<br />
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008<br />
page dumped because: kasan: bad access detected<br />
<br />
Memory state around the buggy address:<br />
ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />
ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />
>ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />
^<br />
ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />
ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />
==================================================================<br />
<br />
POC is available in the link [1].<br />
<br />
The problem triggering process is as follows:<br />
<br />
Process 1 Process 2<br />
-----------------------------------<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338
- https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b
- https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9
- https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f
- https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e
- https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0
- https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f
- https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f