CVE-2025-38052

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done<br /> <br /> Syzbot reported a slab-use-after-free with the following call trace:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840<br /> Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25<br /> <br /> Call Trace:<br /> kasan_report+0xd9/0x110 mm/kasan/report.c:601<br /> tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840<br /> crypto_request_complete include/crypto/algapi.h:266<br /> aead_request_complete include/crypto/internal/aead.h:85<br /> cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772<br /> crypto_request_complete include/crypto/algapi.h:266<br /> cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181<br /> process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231<br /> <br /> Allocated by task 8355:<br /> kzalloc_noprof include/linux/slab.h:778<br /> tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466<br /> tipc_init_net+0x2dd/0x430 net/tipc/core.c:72<br /> ops_init+0xb9/0x650 net/core/net_namespace.c:139<br /> setup_net+0x435/0xb40 net/core/net_namespace.c:343<br /> copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508<br /> create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110<br /> unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228<br /> ksys_unshare+0x419/0x970 kernel/fork.c:3323<br /> __do_sys_unshare kernel/fork.c:3394<br /> <br /> Freed by task 63:<br /> kfree+0x12a/0x3b0 mm/slub.c:4557<br /> tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539<br /> tipc_exit_net+0x8c/0x110 net/tipc/core.c:119<br /> ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173<br /> cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640<br /> process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231<br /> <br /> After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done<br /> may still visit it in cryptd_queue_worker workqueue.<br /> <br /> I reproduce this issue by:<br /> ip netns add ns1<br /> ip link add veth1 type veth peer name veth2<br /> ip link set veth1 netns ns1<br /> ip netns exec ns1 tipc bearer enable media eth dev veth1<br /> ip netns exec ns1 tipc node set key this_is_a_master_key master<br /> ip netns exec ns1 tipc bearer disable media eth dev veth1<br /> ip netns del ns1<br /> <br /> The key of reproduction is that, simd_aead_encrypt is interrupted, leading<br /> to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is<br /> triggered, and the tipc_crypto tx will be visited.<br /> <br /> tipc_disc_timeout<br /> tipc_bearer_xmit_skb<br /> tipc_crypto_xmit<br /> tipc_aead_encrypt<br /> crypto_aead_encrypt<br /> // encrypt()<br /> simd_aead_encrypt<br /> // crypto_simd_usable() is false<br /> child = &amp;ctx-&gt;cryptd_tfm-&gt;base;<br /> <br /> simd_aead_encrypt<br /> crypto_aead_encrypt<br /> // encrypt()<br /> cryptd_aead_encrypt_enqueue<br /> cryptd_aead_enqueue<br /> cryptd_enqueue_request<br /> // trigger cryptd_queue_worker<br /> queue_work_on(smp_processor_id(), cryptd_wq, &amp;cpu_queue-&gt;work)<br /> <br /> Fix this by holding net reference count before encrypt.