CVE-2025-38323
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2025
Last modified:
10/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: atm: add lec_mutex<br />
<br />
syzbot found its way in net/atm/lec.c, and found an error path<br />
in lecd_attach() could leave a dangling pointer in dev_lec[].<br />
<br />
Add a mutex to protect dev_lecp[] uses from lecd_attach(),<br />
lec_vcc_attach() and lec_mcast_attach().<br />
<br />
Following patch will use this mutex for /proc/net/atm/lec.<br />
<br />
BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]<br />
BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008<br />
Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142<br />
<br />
CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:408 [inline]<br />
print_report+0xcd/0x680 mm/kasan/report.c:521<br />
kasan_report+0xe0/0x110 mm/kasan/report.c:634<br />
lecd_attach net/atm/lec.c:751 [inline]<br />
lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008<br />
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159<br />
sock_do_ioctl+0x118/0x280 net/socket.c:1190<br />
sock_ioctl+0x227/0x6b0 net/socket.c:1311<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:907 [inline]<br />
__se_sys_ioctl fs/ioctl.c:893 [inline]<br />
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
<br />
Allocated by task 6132:<br />
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47<br />
kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br />
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br />
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394<br />
kasan_kmalloc include/linux/kasan.h:260 [inline]<br />
__do_kmalloc_node mm/slub.c:4328 [inline]<br />
__kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015<br />
alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711<br />
lecd_attach net/atm/lec.c:737 [inline]<br />
lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008<br />
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159<br />
sock_do_ioctl+0x118/0x280 net/socket.c:1190<br />
sock_ioctl+0x227/0x6b0 net/socket.c:1311<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:907 [inline]<br />
__se_sys_ioctl fs/ioctl.c:893 [inline]<br />
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 6132:<br />
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47<br />
kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br />
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576<br />
poison_slab_object mm/kasan/common.c:247 [inline]<br />
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264<br />
kasan_slab_free include/linux/kasan.h:233 [inline]<br />
slab_free_hook mm/slub.c:2381 [inline]<br />
slab_free mm/slub.c:4643 [inline]<br />
kfree+0x2b4/0x4d0 mm/slub.c:4842<br />
free_netdev+0x6c5/0x910 net/core/dev.c:11892<br />
lecd_attach net/atm/lec.c:744 [inline]<br />
lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008<br />
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159<br />
sock_do_ioctl+0x118/0x280 net/socket.c:1190<br />
sock_ioctl+0x227/0x6b0 net/socket.c:1311<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:907 [inline]<br />
__se_sys_ioctl fs/ioctl.c:893 [inline]<br />
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8
- https://git.kernel.org/stable/c/18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a
- https://git.kernel.org/stable/c/64b378db28a967f7b271b055380c2360279aa424
- https://git.kernel.org/stable/c/a7a713dfb5f9477345450f27c7c0741864511192
- https://git.kernel.org/stable/c/d13a3824bfd2b4774b671a75cf766a16637a0e67
- https://git.kernel.org/stable/c/dffd03422ae6a459039c8602f410e6c0f4cbc6c8
- https://git.kernel.org/stable/c/e91274cc7ed88ab5bdc62d426067c82b0b118a0b
- https://git.kernel.org/stable/c/f4d80b16ecc4229f7e6345158ef34c36be323f0e