CVE-2025-40000

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()<br /> <br /> There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to<br /> access already freed skb_data:<br /> <br /> BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> <br /> CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025<br /> Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]<br /> <br /> Use-after-free write at 0x0000000020309d9d (in kfence-#251):<br /> rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache<br /> <br /> allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):<br /> __alloc_skb net/core/skbuff.c:659<br /> __netdev_alloc_skb net/core/skbuff.c:734<br /> ieee80211_nullfunc_get net/mac80211/tx.c:5844<br /> rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):<br /> ieee80211_tx_status_skb net/mac80211/status.c:1117<br /> rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564<br /> rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651<br /> rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676<br /> rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238<br /> __napi_poll net/core/dev.c:7495<br /> net_rx_action net/core/dev.c:7557 net/core/dev.c:7684<br /> handle_softirqs kernel/softirq.c:580<br /> do_softirq.part.0 kernel/softirq.c:480<br /> __local_bh_enable_ip kernel/softirq.c:407<br /> rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927<br /> irq_thread_fn kernel/irq/manage.c:1133<br /> irq_thread kernel/irq/manage.c:1257<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> It is a consequence of a race between the waiting and the signaling side<br /> of the completion:<br /> <br /> Waiting thread Completing thread<br /> <br /> rtw89_core_tx_kick_off_and_wait()<br /> rcu_assign_pointer(skb_data-&gt;wait, wait)<br /> /* start waiting */<br /> wait_for_completion_timeout()<br /> rtw89_pci_tx_status()<br /> rtw89_core_tx_wait_complete()<br /> rcu_read_lock()<br /> /* signals completion and<br /> <br /> ---truncated---